acmesmith 2.6.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 914be0de4c237bcd0db59a908f8ce70c3f7b364bb2ab0ac25b6e26ff95ecd7bc
-  data.tar.gz: 14b96550d4ef0274d1546e78b5121c6b9356e9c71e479a4ed17b4d9ff8fc669e
+  metadata.gz: '00710093e0dc9f9ec6ba1d54bf67585d45efa053e8a6bd7250c638abfce17908'
+  data.tar.gz: ecff83969fbf75e8566f1f75638b35937615af3d9fe05a759663d1a82b5d11af
 SHA512:
-  metadata.gz: ce305e972fcb06a4bc97b2ceea2177cd759601c55064dd5e22ea15b0981ea838e7c11d8e5401d08c41ec1f249cfa0d7a6489f67b2c3e52cc8d67bd1871d77e69
-  data.tar.gz: dfabb130f347dc7829cbaad1b5de6aca553dfedc7172d53d163736baee2b07b00124ef7f5f31d9270df660f4b9381b05ed6ca6cfa2e9a96163f25d6fa2d83286
+  metadata.gz: 6df65f1bef30badd2f6691bebeeadf2548d878404a31b166a8fb607aae1027c02345162db7068bb3eb276718aae819dd31ec0188a6075d6fd69d28252d4c79d6
+  data.tar.gz: c2689ab6ffcd876a5af2c7c4b25c1b4b2553c20c07472b8698d1b43787ad2ed5bac72354381aa76b4da6fb64fd5a2f60b2ee09006f58caa1b16083e12067e391

data/.github/workflows/build.yml

@@ -18,20 +18,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['3.0', '3.1', '3.2']
-    container:
-      image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
+        ruby-version: ['3.2', '3.3', '3.4']
     steps:
-
-      - name: Cache bundled gems
-        uses: actions/cache@v1
-        id: rspec-bundle
-        with:
-          path: ~/bundle
-          key: ${{ runner.os }}-${{ matrix.ruby-version }}
-
       - uses: actions/checkout@master
-      - run: 'bundle install --path ~/bundle'
+      - uses: sorah-rbpkg/actions@v2
+        with:
+          ruby-version: "${{ matrix.ruby-version }}"
+          bundler-cache: true
       - run: 'bundle exec rspec -fd'
 
   integration-pebble:
@@ -40,7 +33,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['3.0', '3.1', '3.2']
+        ruby-version: ['3.2', '3.3', '3.4']
 
         # FIXME: once GitHub Actions gains support of adding command line arguments to container
       #    services:
@@ -63,16 +56,14 @@ jobs:
     steps:
       - uses: actions/checkout@master
 
-      - name: Cache bundled gems
-        uses: actions/cache@v1
-        id: instegration-pebble-bundle
+      - uses: sorah-rbpkg/actions@v2
         with:
-          path: ~/bundle
-          key: ${{ runner.os }}-${{ matrix.ruby-version }}
+          ruby-version: "${{ matrix.ruby-version }}"
+          bundler-cache: true
 
       - run: 'docker run -d --net=host --rm letsencrypt/pebble pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053'
       - run: 'docker run -d --net=host --rm letsencrypt/pebble-challtestsrv pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
-      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle public.ecr.aws/sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
+      - run: 'bundle exec rspec -fd -t integration_pebble'
 
   docker-build:
     name: docker-build

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## v2.7.0 (2025-04-28)
+
+### Enhancements
+
+- autorenew: gains new option `--remaining-life` (`-r`) to specify threshold in ratio of remaining lifetime to total lifetime, e.g. `1/3`, `50%`.
+
+### New behaviour
+
+- autonenew: in addition to above, the default option is now adjusted to `--reamining-life 1/3` instead of `--days 7`. This conforms to the Let's Encrypt recommendation to renew certificates when its remaining lifetime is less than 1/3 of the total lifetime.
+- docker: our provided Docker image now bundles rexml instead of nokogiri for aws-sdk-route53.
+
+
+## v2.6.1 (2024-12-05)
+
+### Fixes
+
+- route53: restore_to_original_records can have an error when querying existing record sets when it generates a name with leading empty labels (OTOH: double leading dots). [#65](https://github.com/sorah/acmesmith/pull/65)
+
 ## v2.6.0 (2023-10-05)
 
 ### Enhancement

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM sorah/ruby:3.2-dev as builder
+FROM sorah/ruby:3.4-dev as builder
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient-dev git-core \
@@ -12,7 +12,7 @@ RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/
 
 RUN bundle install --path /gems --jobs 100 --without development
 
-FROM sorah/ruby:3.2
+FROM sorah/ruby:3.4
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient20 \

data/Gemfile

@@ -3,4 +3,4 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in acmesmith.gemspec
 gemspec
 
-gem 'nokogiri'
+gem 'rexml'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.6.0)
+    acmesmith (2.7.0)
       acme-client (>= 2.0.7, < 3)
       aws-sdk-acm
       aws-sdk-route53
@@ -11,62 +11,64 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.14)
+    acme-client (2.0.19)
+      base64 (~> 0.2.0)
       faraday (>= 1.0, < 3.0.0)
       faraday-retry (>= 1.0, < 3.0.0)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.832.0)
-    aws-sdk-acm (1.62.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.185.0)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.651.0)
+    aws-eventstream (1.3.0)
+    aws-partitions (1.1018.0)
+    aws-sdk-acm (1.81.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
+    aws-sdk-core (3.214.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.79.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.136.0)
-      aws-sdk-core (~> 3, >= 3.181.0)
+    aws-sdk-kms (1.96.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-route53 (1.105.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.176.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sigv4 (1.6.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.10.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.1.1)
-    diff-lcs (1.4.4)
-    faraday (2.7.11)
-      base64
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
-    faraday-retry (2.2.0)
+    base64 (0.2.0)
+    diff-lcs (1.5.1)
+    faraday (2.12.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
+    faraday-retry (2.2.1)
       faraday (~> 2.0)
     jmespath (1.6.2)
-    mini_portile2 (2.8.1)
-    nokogiri (1.14.3)
-      mini_portile2 (~> 2.8.0)
-      racc (~> 1.4)
-    racc (1.6.2)
-    rake (13.0.6)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    json (2.9.0)
+    logger (1.6.2)
+    net-http (0.6.0)
+      uri
+    rake (13.2.1)
+    rexml (3.4.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.2)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
-    ruby2_keywords (0.0.5)
-    thor (1.2.2)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
+    thor (1.3.2)
+    uri (1.0.3)
 
 PLATFORMS
   ruby
@@ -74,9 +76,9 @@ PLATFORMS
 DEPENDENCIES
   acmesmith!
   bundler
-  nokogiri
   rake
+  rexml
   rspec
 
 BUNDLED WITH
-   2.1.4
+   2.5.23

data/README.md

@@ -67,7 +67,7 @@ $ acmesmith save-pkcs12      COMMON_NAME --output=PATH  # Save certificate and p
 ```
 
 ```
-$ acmesmith autorenew [-d DAYS] # Renew certificates which being expired soon
+$ acmesmith autorenew [-r RATIO] [-d DAYS] # Renew certificates which being expired soon. Default to -r 1/3
 ```
 
 ```

data/lib/acmesmith/challenge_responders/route53.rb

@@ -89,7 +89,7 @@ module Acmesmith
         domain_and_challenges.each do |domain, challenge|
 
           hosted_zone_id = find_hosted_zone(domain)
-          name = "#{challenge.record_name}.#{domain}."
+          name = "#{challenge.record_name}.#{canonical_fqdn(domain)}."
 
           rrsets = list_existing_rrsets(hosted_zone_id, name)
           next if rrsets.empty?

data/lib/acmesmith/client.rb

@@ -122,14 +122,23 @@ module Acmesmith
       SaveCertificateService.new(cert, **kwargs).perform!
     end
 
-    def autorenew(days: 7, common_names: nil)
+    def autorenew(days: 30, remaining_life: nil, common_names: nil)
       (common_names || storage.list_certificates).each do |cn|
         puts "=> #{cn}"
         cert = storage.get_certificate(cn)
         not_after = cert.certificate.not_after.utc
 
-        puts "   Not valid after: #{not_after}"
-        next unless (cert.certificate.not_after.utc - Time.now.utc) < (days.to_i * 86400)
+        lifetime = cert.certificate.not_after.utc - cert.certificate.not_before.utc
+        remaining = cert.certificate.not_after.utc - Time.now.utc
+        ratio = Rational(remaining,lifetime)
+
+        has_to_renew = false
+        has_to_renew ||= days && remaining < (days.to_i * 86400)
+        has_to_renew ||= remaining_life && ratio < remaining_life
+
+        puts "   Not valid after: #{not_after} (lifetime=#{format_duration(lifetime+1)}, remaining=#{format_duration(remaining)}, #{"%0.2f" % (ratio.to_f*100)}%)"
+        next unless has_to_renew
+
         puts " * Renewing: CN=#{cert.common_name}, SANs=#{cert.sans.join(',')}"
         order_with_private_key(cert.common_name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
       end
@@ -145,6 +154,22 @@ module Acmesmith
 
     private
 
+    # @param [Numeric] duration
+    def format_duration(duration)
+      raise ArgumentError if !duration.is_a?(Numeric) || duration < 0
+
+      # Calculate components using divmod
+      days, remainder  = duration.divmod(86400)
+      hours, remainder = remainder.divmod(3600)
+      minutes, seconds = remainder.divmod(60)
+
+      # Create [value, unit] pairs, filter out zero values, format, and join
+      [[days, 'd'], [hours, 'h'], [minutes, 'm'], [seconds, 's']]
+        .select { |v,| v > 0 }
+        .map { |v, unit| "#{v.to_i}#{unit}" }
+        .join
+    end
+
 
     def config
       @config

data/lib/acmesmith/command.rb

@@ -143,9 +143,20 @@ module Acmesmith
     end
 
     desc "autorenew [COMMON_NAMES]", "request renewal of certificates which expires soon"
-    method_option :days, type: :numeric, aliases: %w(-d), default: 7, desc: 'specify threshold in days to select certificates to renew'
+    method_option :days, type: :numeric, aliases: %w(-d), default: nil, desc: 'specify threshold in days to select certificates to renew'
+    method_option :remaining_life, type: :string, aliases: %w(-r), default: '1/3', desc: "Specify threshold based on remaining life. Accepts a percentage ('20%') or fraction ('1/3')"
     def autorenew(*common_names)
-      client.autorenew(days: options[:days], common_names: common_names.empty? ? nil : common_names)
+      remaining_life = case options[:remaining_life]
+                       when %r{\A\d+/\d+\z}
+                         Rational(options[:remaining_life])
+                       when %r{\A([\d.]+)%\z}
+                         Rational($1.to_f, 100)
+                       when nil
+                         nil
+                       else
+                         raise ArgumentError, "invalid format for --remaining-life: it must be in '..%' or '../..'"
+                       end
+      client.autorenew(days: options[:days], remaining_life: remaining_life, common_names: common_names.empty? ? nil : common_names)
     end
 
     desc "add-san COMMON_NAME [ADDITIONAL_SANS]", "request renewal of existing certificate with additional SANs"

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.6.0"
+  VERSION = "2.7.0"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-04 00:00:00.000000000 Z
+date: 2025-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -200,7 +199,6 @@ homepage: https://github.com/sorah/acmesmith
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -215,8 +213,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server
   environment with cloud services (e.g. AWS)