Allow configuring proactively refreshed cert domains

This allows you to specify domains which will always have their
certificates refreshed & ready, even if they aren't getting a lot of
traffic (refreshes are normally only triggered async, so if a domain
isn't used at all for 90 days it's possible the cert will expire and
won't be available on the first subsequent request).

Author: pimterry

src/server.ts

@@ -14,10 +14,10 @@ declare module 'stream' {
     }
 }
 
-
 interface ServerOptions {
     domain?: string;
     acmeProvider?: AcmeProvider;
+    proactiveCertDomains?: string[];
     certCacheDir?: string;
     eabConfig?: ExternalAccessBindingConfig;
 }
@@ -64,6 +64,7 @@ async function generateTlsConfig(options: ServerOptions) {
 
     return {
         rootDomain,
+        proactiveCertDomains: options.proactiveCertDomains,
         key: defaultCert.key,
         cert: defaultCert.cert,
         ca: caCert.cert,
@@ -130,6 +131,7 @@ if (wasRunDirectly) {
 
     createTcpHandler({
         domain: process.env.ROOT_DOMAIN,
+        proactiveCertDomains: process.env.PROACTIVE_CERT_DOMAINS,
         acmeProvider: process.env.ACME_PROVIDER as AcmeProvider | undefined,
         eabConfig: process.env.ACME_EAB_KID && process.env.ACME_EAB_HMAC
             ? { kid: process.env.ACME_EAB_KID, hmacKey: process.env.ACME_EAB_HMAC }

src/tls-handler.ts

@@ -2,16 +2,20 @@ import * as tls from 'tls';
 
 import { ConnectionProcessor } from './process-connection.js';
 
+type CertGenerator = (domain: string) => {
+    key: string,
+    cert: string,
+    ca?: string
+};
+
 interface TlsHandlerConfig {
     rootDomain: string;
+    proactiveCertDomains?: string[];
+
     key: string;
     cert: string;
     ca: string;
-    generateCertificate: (domain: string) => {
-        key: string,
-        cert: string,
-        ca?: string
-    };
+    generateCertificate: CertGenerator;
 }
 
 const DEFAULT_ALPN_PROTOCOLS = ['http/1.1', 'h2'];
@@ -27,6 +31,20 @@ const getSNIPrefixParts = (servername: string, rootDomain: string) => {
     return serverNamePrefix.split('.');
 };
 
+const PROACTIVE_DOMAIN_REFRESH_INTERVAL = 1000 * 60 * 60 * 24; // Daily cert check for proactive domains
+
+function proactivelyRefreshDomains(domains: string[], certGenerator: CertGenerator) {
+    domains.forEach(domain => {
+        console.log(`Proactively checking cert at startup for ${domain}`);
+        certGenerator(domain);
+
+        setInterval(() => {
+            console.log(`Proactively checking cert for ${domain}`);
+            certGenerator(domain);
+        }, PROACTIVE_DOMAIN_REFRESH_INTERVAL);
+    });
+}
+
 export async function createTlsHandler(
     tlsConfig: TlsHandlerConfig,
     connProcessor: ConnectionProcessor
@@ -74,6 +92,8 @@ export async function createTlsHandler(
         }
     });
 
+    proactivelyRefreshDomains(tlsConfig.proactiveCertDomains ?? [], tlsConfig.generateCertificate);
+
     server.on('secureConnection', (socket) => {
         connProcessor.processConnection(socket);
     });