From 4330f4eb88648b56a90e067f0f9c111b3f338bec Mon Sep 17 00:00:00 2001 From: "Antonios Chariton (daknob)" Date: Wed, 30 Nov 2022 00:04:31 +0100 Subject: [PATCH] Add support for custom validity certs This commit allows autocert to request certificates with a specific notAfter value from the ACME CA. The CA may choose to honor this request or not. The acme package already supports this functionality. --- acme/autocert/autocert.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go index 6b4cdf406d..5676b25db1 100644 --- a/acme/autocert/autocert.go +++ b/acme/autocert/autocert.go @@ -137,6 +137,13 @@ type Manager struct { // If zero, they're renewed 30 days before expiration. RenewBefore time.Duration + // RequestedCertificateValidity optionally specifies the validity of the requested + // certificates from the CA. This may not be honored by all CAs. Ensure that this + // and RenewBefore make sense in both cases (honored and not honored). + // + // The CA default value is used if this is not set. + RequestedCertificateValidity time.Duration + // Client is used to perform low-level operations, such as account registration // and requesting new certificates. // @@ -697,7 +704,14 @@ func (m *Manager) verifyRFC(ctx context.Context, client *acme.Client, domain str nextTyp := 0 // challengeTypes index AuthorizeOrderLoop: for { - o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain)) + // Send the notAfter option to the CA + var orderOpts []acme.OrderOption + if m.RequestedCertificateValidity != 0 { + orderOpts = append(orderOpts, acme.WithOrderNotAfter( + time.Now().UTC().Add(m.RequestedCertificateValidity))) + } + + o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain), orderOpts...) if err != nil { return nil, err }