Is allow_domain used/needed for renewal?

[brianlund]

As I understand it, a renewal is basically a new certificate request with the same subject.
We have domains that leave us over time, so I am wondering if renewal uses the allow_domain function to ensure it only tries to renew domains that are still valid and won't result in a failed attempt counting towards the let's encrypt limits or if it's not needed.

Edit: from reading the renewal code, I see it's not called before a renewal. There must be others that have domains that are no longer valid for certificate issuance at renewal time, how do you handle this?

[oronoa]

As far as I can see, Just delete the domain keys from Redis, it will not renew.

[gohai]

We'd be interested in having lua-resty-auto-ssl call allow_domain at renewal time, and deleting the domain keys from Redis if it returns false. I might try to prototype this myself if nobody beats me to it.

[luto]

@gohai that sounds like a nice addition! :)

[brianlund]

@gohai I found this fork: https://github.com/ryokdy/lua-resty-auto-ssl which deletes expired certificates fromm storage. I forked it myself to https://github.com/simplesite/lua-resty-auto-ssl and changed it to use the normal allow_domain function instead of a custom http check that ryokdy uses.

[gohai]

@brianlund Thank you!
@GUI Any chance a similar change could be incorporated into your tree?

[gohai]

I submitted a PR that does something to the same effect, yet without invoking allow_domain: #125

The reason the plain allow_domain does not well for us is that we wouldn't be getting the extra information out of storage that the function is normally able to use (such as the port the request was received).