@abtnode/certificate-manager 1.17.6-beta-20251221-021146-1a145a92 → 1.17.7-beta-20251223-090654-55d57623

package/libs/acme-manager.js

@@ -18,12 +18,21 @@ const http01 = require('./http-01').create({});
 
 const DEFAULT_AGENT_NAME = 'blocklet-server';
 
-const DEFAULT_RENEWAL_OFFSET_IN_DAY = 30;
+// Default renewal ratio: renew when remaining lifetime <= 1/3 of total lifetime
+const DEFAULT_RENEWAL_RATIO = 1 / 3;
+// Minimum days threshold: always renew if remaining days <= 10
+const MINIMUM_RENEWAL_DAYS = 10;
 
 class Manager extends EventEmitter {
-  constructor({ dataDir, maintainerEmail, staging = false, renewalOffsetInDay = DEFAULT_RENEWAL_OFFSET_IN_DAY }) {
+  constructor({ dataDir, maintainerEmail, staging = false, renewalRatio = DEFAULT_RENEWAL_RATIO }) {
     super();
     logger.info('initialize manager in data dir:', { dataDir });
+
+    // Validate renewalRatio
+    if (typeof renewalRatio !== 'number' || Number.isNaN(renewalRatio) || renewalRatio <= 0) {
+      throw new Error(`Invalid renewalRatio: ${renewalRatio}. Must be a positive number.`);
+    }
+
     this.acme = new AcmeWrapper({
       packageAgent: `${DEFAULT_AGENT_NAME}/${pkg.version}`,
       staging,
@@ -31,7 +40,7 @@ class Manager extends EventEmitter {
     });
 
     this.maintainerEmail = maintainerEmail;
-    this.renewalOffsetInDay = renewalOffsetInDay;
+    this.renewalRatio = renewalRatio;
     this.dataDir = dataDir;
     this.getJobId = (job) => (job ? md5(`${job.domain}-${job.challenge}`) : '');
     this.queue = createQueue({
@@ -162,10 +171,17 @@ class Manager extends EventEmitter {
 
       if (cert.certificate) {
         const info = Certificate.fromPEM(cert.certificate);
-        const days = dayjs(info.validTo).diff(dayjs(), 'days');
-
-        if (force === false && days > this.renewalOffsetInDay) {
-          logger.info(`no need to renewal ${cert.domain}, the certificate will expires more than ${days} days`);
+        const now = dayjs();
+        const validFrom = dayjs(info.validFrom);
+        const validTo = dayjs(info.validTo);
+        const totalLifetime = validTo.diff(validFrom, 'days');
+        const remainingDays = validTo.diff(now, 'days');
+        const renewalThreshold = Math.max(totalLifetime * this.renewalRatio, MINIMUM_RENEWAL_DAYS);
+
+        if (force === false && remainingDays > renewalThreshold) {
+          logger.info(
+            `no need to renewal ${cert.domain}, remaining ${remainingDays} days > threshold ${renewalThreshold.toFixed(1)} days (max of ${(this.renewalRatio * 100).toFixed(0)}% of ${totalLifetime} days lifetime or ${MINIMUM_RENEWAL_DAYS} days)`
+          );
           return null;
         }
 
@@ -214,7 +230,7 @@ class Manager extends EventEmitter {
   async checkRenewalCerts() {
     logger.info('run renewal certificate job');
 
-    const certs = await states.certificate.findRenewCerts(this.renewalOffsetInDay);
+    const certs = await states.certificate.findRenewCerts(this.renewalRatio, MINIMUM_RENEWAL_DAYS);
 
     logger.info(`found ${certs.length} certs need to renewal`);
 
@@ -227,7 +243,7 @@ class Manager extends EventEmitter {
 
 let instance = null;
 
-Manager.getInstance = async ({ maintainerEmail, baseDataDir }) => {
+Manager.getInstance = async ({ maintainerEmail, baseDataDir, renewalRatio }) => {
   if (instance) {
     return instance;
   }
@@ -238,6 +254,7 @@ Manager.getInstance = async ({ maintainerEmail, baseDataDir }) => {
     packageRoot: baseDataDir,
     dataDir,
     maintainerEmail,
+    renewalRatio,
     staging: typeof process.env.STAGING === 'undefined' ? process.env.NODE_ENV !== 'production' : !!process.env.STAGING,
   });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/certificate-manager",
-  "version": "1.17.6-beta-20251221-021146-1a145a92",
+  "version": "1.17.7-beta-20251223-090654-55d57623",
   "description": "Manage ABT Node SSL certificates",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -30,11 +30,11 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/cron": "1.17.6-beta-20251221-021146-1a145a92",
-    "@abtnode/logger": "1.17.6-beta-20251221-021146-1a145a92",
-    "@abtnode/models": "1.17.6-beta-20251221-021146-1a145a92",
-    "@abtnode/queue": "1.17.6-beta-20251221-021146-1a145a92",
-    "@abtnode/util": "1.17.6-beta-20251221-021146-1a145a92",
+    "@abtnode/cron": "1.17.7-beta-20251223-090654-55d57623",
+    "@abtnode/logger": "1.17.7-beta-20251223-090654-55d57623",
+    "@abtnode/models": "1.17.7-beta-20251223-090654-55d57623",
+    "@abtnode/queue": "1.17.7-beta-20251223-090654-55d57623",
+    "@abtnode/util": "1.17.7-beta-20251223-090654-55d57623",
     "@blocklet/error": "^0.3.5",
     "@fidm/x509": "^1.2.1",
     "@greenlock/manager": "^3.1.0",
@@ -47,5 +47,5 @@
     "joi": "17.12.2",
     "punycode": "^2.3.1"
   },
-  "gitHead": "6922b56b5f282ba14c864f6a7969d218e4065104"
+  "gitHead": "00a82b6f4ef5818d6ec37d74be404031c693247c"
 }

package/sdk/manager.js

@@ -11,15 +11,16 @@ const { validateCertificate, getCertInfo } = require('../libs/util');
 
 const DAY_IN_MS = 24 * 60 * 60 * 1000;
 const CERTIFICATE_EXPIRES_WARNING_OFFSET = 7 * DAY_IN_MS;
+const DEFAULT_RENEWAL_RATIO = 1 / 3;
 
 class Manager extends EventEmitter {
-  constructor({ daysBeforeExpireToRenewal, maintainerEmail, dataDir }) {
+  constructor({ renewalRatio = DEFAULT_RENEWAL_RATIO, maintainerEmail, dataDir }) {
     super();
     if (!dataDir) {
       throw new Error('dataDir is required');
     }
 
-    this.daysBeforeExpireToRenewal = daysBeforeExpireToRenewal;
+    this.renewalRatio = renewalRatio;
     this.maintainerEmail = maintainerEmail;
     this.acmeManager = null;
     this.dataDir = dataDir;
@@ -30,7 +31,7 @@ class Manager extends EventEmitter {
   async start() {
     const acmeManager = await AcmeManager.initInstance({
       maintainerEmail: this.maintainerEmail,
-      daysBeforeExpireToRenewal: this.daysBeforeExpireToRenewal,
+      renewalRatio: this.renewalRatio,
       baseDataDir: this.dataDir,
     });
 

package/states/certificate.js

@@ -42,14 +42,43 @@ class Certificate extends BaseState {
     return super.update(condition, data);
   }
 
-  async findRenewCerts(renewalOffsetInDay) {
+  /**
+   * Find Let's Encrypt certificates that should be renewed based on their remaining
+   * lifetime and a minimum renewal window.
+   *
+   * The renewal threshold is computed as:
+   *   max(totalLifetime * renewalRatio, minimumRenewalDays in milliseconds)
+   * and a certificate is selected if its remaining validity is less than or equal
+   * to this threshold.
+   *
+   * @param {number} renewalRatio
+   *   Fraction of the certificate's total lifetime at which renewal should be
+   *   considered. Expected to be between 0 and 1 (e.g. 0.5 = renew after 50%
+   *   of the lifetime has elapsed).
+   * @param {number} [minimumRenewalDays=10]
+   *   Minimum number of days before expiry at which renewal should be considered,
+   *   regardless of the value of {@link renewalRatio}. Must be a non-negative number.
+   * @returns {Promise<import('@abtnode/models').CertificateState[]>}
+   *   A promise that resolves to the list of certificates that should be renewed.
+   */
+  async findRenewCerts(renewalRatio, minimumRenewalDays = 10) {
     const certs = await super.find({ source: CERT_SOURCE.letsEncrypt });
-    return certs
-      .filter((cert) => cert.meta?.validTo)
-      .filter((cert) => {
-        const tmp = dayjs().add(renewalOffsetInDay, 'days').unix() * 1000;
-        return cert.meta.validTo <= tmp;
-      });
+    const now = dayjs();
+    const minimumThreshold = minimumRenewalDays * 24 * 60 * 60 * 1000;
+
+    return certs.filter((cert) => {
+      if (!cert.meta?.validTo || !cert.meta?.validFrom) {
+        return false;
+      }
+
+      const validFrom = dayjs(cert.meta.validFrom);
+      const validTo = dayjs(cert.meta.validTo);
+      const totalLifetime = validTo.diff(validFrom, 'milliseconds');
+      const remainingTime = validTo.diff(now, 'milliseconds');
+      const renewalThreshold = Math.max(totalLifetime * renewalRatio, minimumThreshold);
+
+      return remainingTime <= renewalThreshold;
+    });
   }
 }