@postalsys/certs 1.0.0

package/.eslintrc

@@ -0,0 +1,15 @@
+{
+    "rules": {
+        "indent": 0,
+        "no-await-in-loop": 0,
+        "require-atomic-updates": 0
+    },
+    "globals": {
+        "BigInt": true
+    },
+    "extends": ["nodemailer", "prettier"],
+    "parserOptions": {
+        "ecmaVersion": 2018,
+        "sourceType": "script"
+    }
+}

package/.prettierrc.js

@@ -0,0 +1,8 @@
+module.exports = {
+    printWidth: 160,
+    tabWidth: 4,
+    singleQuote: true,
+    endOfLine: 'lf',
+    trailingComma: 'none',
+    arrowParens: 'avoid'
+};

package/examples/test.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const Redis = require('ioredis');
+
+const express = require('express');
+const app = express();
+const port = 7003;
+
+// Create a Redis instance.
+// By default, it will connect to localhost:6379.
+// We are going to cover how to specify connection options soon.
+const redis = new Redis();
+const { Certs } = require('../');
+
+let certs = new Certs({
+    redis,
+    namespace: 'test',
+
+    encryptFn: async value => {
+        if (!value) {
+            return value;
+        }
+        if (typeof value === 'string') {
+            value = Buffer.from(value);
+        }
+        if (!Buffer.isBuffer(value)) {
+            return value;
+        }
+        return '$' + value.toString('hex');
+    },
+
+    decryptFn: async value => {
+        if (Buffer.isBuffer(value)) {
+            value = value.toString();
+        }
+
+        if (typeof value !== 'string' || !value || value.charAt(0) !== '$') {
+            return value;
+        }
+
+        return Buffer.from(value.substr(1), 'hex').toString();
+    }
+});
+
+const main = async () => {
+    console.log(await certs.getAcmeAccount());
+
+    console.log(await certs.getCertificate('localdev.kreata.ee'));
+
+    console.log(await certs.acquireCert('localdev.kreata.ee'));
+};
+
+app.get('/', (req, res) => {
+    res.send('Hello World!');
+});
+
+app.get('/.well-known/acme-challenge/:token', (req, res) => {
+    const token = req.params.token;
+    const domain = req.get('host');
+    certs
+        .routeHandler(domain, token)
+        .then(challenge => {
+            res.status(200).set('content-type', 'text/plain').send(challenge);
+        })
+        .catch(err => {
+            res.status(err.statusCode || 500).send({
+                error: err.message,
+                code: err.code,
+                details: err.details
+            });
+        });
+});
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`);
+
+    main()
+        .then(() => {
+            process.exit(0);
+        })
+        .catch(err => {
+            console.error(err);
+            process.exit(1);
+        });
+});

package/lib/acme-challenge.js

@@ -0,0 +1,134 @@
+'use strict';
+
+const { normalizeDomain } = require('./tools');
+const { Settings } = require('./settings');
+const msgpack = require('msgpack5')();
+const { v4: uuid } = require('uuid');
+
+// Unfinished challenges are deleted after this amount of time
+const DEFAULT_TTL = 2 * 3600 * 1000; // milliseconds
+
+class AcmeChallenge {
+    static create(config = {}) {
+        return new AcmeChallenge(config);
+    }
+
+    constructor(config) {
+        this.config = config;
+        const { redis, ttl, namespace } = this.config;
+
+        this.uuid = uuid();
+        this.redis = redis;
+        this.ttl = ttl || DEFAULT_TTL;
+
+        this.namespace = namespace;
+        this.ns = namespace ? `${namespace}:` : '';
+
+        this.settings = Settings.create({
+            redis: this.redis,
+            namespace: this.namespace
+        });
+    }
+
+    init(/*opts*/) {
+        // not much to do here
+        return null;
+    }
+
+    getKey(name) {
+        return `${this.ns}certs:${name}`;
+    }
+
+    async getData(domain, token) {
+        let keyName = this.getKey(`challenge:${domain}:${token}`);
+
+        let encoded = await this.redis.getBuffer(keyName);
+        if (encoded && encoded.length) {
+            return msgpack.decode(encoded);
+        }
+
+        return false;
+    }
+
+    async setData(domain, token, data) {
+        let keyName = this.getKey(`challenge:${domain}:${token}`);
+
+        let result = await this.redis.multi().set(keyName, msgpack.encode(data)).expire(keyName, this.ttl).exec();
+        if (result[0][0]) {
+            throw result[0][0];
+        }
+
+        if (result[1][0]) {
+            throw result[1][0];
+        }
+
+        return result && result[0] && result[1];
+    }
+
+    async deleteData(domain, token) {
+        let keyName = this.getKey(`challenge:${domain}:${token}`);
+        return await this.redis.del(keyName);
+    }
+
+    async set(opts) {
+        const { challenge } = opts;
+        const { altname, keyAuthorization, token } = challenge;
+
+        let domain = normalizeDomain(altname);
+
+        let dataKey = `domain:${domain}:data`;
+        if (!(await this.settings.has(dataKey))) {
+            let err = new Error('Domain not found');
+            err.responseCode = 404;
+            throw err;
+        }
+
+        await this.setData(domain, token, {
+            acme: {
+                token,
+                secret: {
+                    value: keyAuthorization,
+                    created: new Date(),
+                    expires: new Date(Date.now() + this.ttl)
+                }
+            }
+        });
+
+        return true;
+    }
+
+    async get(query) {
+        const { challenge } = query;
+        const { identifier, token } = challenge;
+        const domain = normalizeDomain(identifier.value);
+
+        let tokenData = await this.getData(domain, token);
+        if (!tokenData) {
+            return null;
+        }
+
+        if (
+            !tokenData.acme ||
+            !tokenData.acme.secret ||
+            !tokenData.acme.secret.value ||
+            (tokenData.acme.secret.expires && tokenData.acme.secret.expires < new Date())
+        ) {
+            await this.deleteData(domain, token);
+            return null;
+        }
+
+        return {
+            keyAuthorization: tokenData.acme.secret.value
+        };
+    }
+
+    async remove(opts) {
+        const { challenge } = opts;
+        const { identifier, token } = challenge;
+        const domain = normalizeDomain(identifier.value);
+
+        return this.deleteData(domain, token);
+    }
+}
+
+module.exports = AcmeChallenge;

package/lib/certs.js

@@ -0,0 +1,482 @@
+'use strict';
+
+const ACME = require('@root/acme');
+const { pem2jwk } = require('pem-jwk');
+const CSR = require('@root/csr');
+const pino = require('pino');
+const Joi = require('joi');
+const Lock = require('ioredfour');
+const { Resolver } = require('dns').promises;
+
+const pkg = require('../package.json');
+const AcmeChallenge = require('./acme-challenge');
+const { normalizeDomain, generateKey, parseCertificate, validationErrors } = require('./tools');
+const { Settings } = require('./settings');
+
+const resolver = new Resolver();
+
+const RENEW_AFTER_REMAINING = 10000 + 30 * 24 * 3600 * 1000;
+const BLOCK_RENEW_AFTER_ERROR_TTL = 10; //3600;
+
+class Certs {
+    static create(options = {}) {
+        return new Certs(options);
+    }
+
+    constructor(options) {
+        options = options || {};
+
+        this.redis = options.redis;
+
+        this.namespace = options.namespace;
+        this.ns = options.namespace ? `${options.namespace}:` : '';
+
+        this.encryptFn = options.encryptFn || (async val => val);
+        this.decryptFn = options.decryptFn || (async val => val);
+
+        this.acmeOptions = Object.assign(
+            {
+                environment: 'development',
+                directoryUrl: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+                email: pkg.author.email,
+                caaDomains: ['letsencrypt.org']
+            },
+            options.acme || {}
+        );
+
+        if (!Array.isArray(this.acmeOptions.caaDomains)) {
+            this.acmeOptions.caaDomains = [].concat(this.acmeOptions.caaDomains || []);
+        }
+
+        this.keyBits = Number(options.keyBits) || 2048;
+        this.keyExponent = Number(options.keyExponent) || 65537;
+
+        this.logger = options.logger || pino();
+
+        this.acme = ACME.create({
+            maintainerEmail: pkg.author.email,
+            packageAgent: pkg.name + '/' + pkg.version,
+            notify: (ev, params) => {
+                this.logger.info({ msg: 'ACME Notification', ev, params });
+            }
+        });
+
+        this.settings = Settings.create({
+            redis: this.redis,
+            namespace: this.namespace
+        });
+
+        this.locking = new Lock({
+            redis: this.redis,
+            namespace: `${this.ns}acme:lock`
+        });
+
+        this.acmeChallenge = AcmeChallenge.create({
+            redis: this.redis,
+            namespace: this.namespace
+        });
+
+        this.acmeInitialized = false;
+        this.acmeInitializing = false;
+        this.acmeInitPending = [];
+    }
+
+    getKey(name) {
+        return `${this.ns}certs:${name}`;
+    }
+
+    /*
+     * Make sure that the ACME object is initialized
+     * If not, then queue the call and resolve/reject once done
+     */
+    async ensureAcme() {
+        if (this.acmeInitialized) {
+            return true;
+        }
+        if (this.acmeInitializing) {
+            return new Promise((resolve, reject) => {
+                this.acmeInitPending.push({ resolve, reject });
+            });
+        }
+
+        try {
+            await this.acme.init(this.acmeOptions.directoryUrl);
+            this.acmeInitialized = true;
+
+            if (this.acmeInitPending.length) {
+                for (let entry of this.acmeInitPending) {
+                    entry.resolve(true);
+                }
+            }
+        } catch (err) {
+            if (this.acmeInitPending.length) {
+                for (let entry of this.acmeInitPending) {
+                    entry.reject(err);
+                }
+            }
+            throw err;
+        } finally {
+            this.acmeInitializing = false;
+        }
+
+        return true;
+    }
+
+    async getAcmeAccount() {
+        await this.ensureAcme();
+
+        const settingKey = `account:${this.acmeOptions.environment}`;
+        const accountData = await this.settings.get(settingKey);
+
+        // there is already an existing acme account, no need to create a new one
+        if (accountData) {
+            if (accountData.privateKey) {
+                accountData.privateKey = await this.decryptFn(accountData.privateKey);
+            }
+
+            return accountData;
+        }
+
+        // account not found, create a new one
+        this.logger.info({
+            msg: 'ACME account not found, provisioning a new one',
+            directoryUrl: this.acmeOptions.directoryUrl,
+            environment: this.acmeOptions.environment
+        });
+
+        const privateKey = await generateKey(this.acmeOptions.keyBits, this.acmeOptions.keyExponent);
+
+        const jwkAccount = pem2jwk(privateKey);
+        this.logger.trace({ msg: 'Generated Acme account key', environment: this.acmeOptions.environment });
+
+        const accountOptions = {
+            subscriberEmail: this.acmeOptions.email,
+            agreeToTerms: true,
+            accountKey: jwkAccount
+        };
+
+        const account = await this.acme.accounts.create(accountOptions);
+
+        this.settings.set(settingKey, {
+            privateKey: await this.encryptFn(privateKey),
+            account
+        });
+
+        this.logger.trace({ msg: 'ACME account provisioned', environment: this.acmeOptions.environment });
+
+        return {
+            privateKey,
+            account
+        };
+    }
+
+    async validateDomain(domain) {
+        // check domain name format
+        const validation = Joi.string()
+            .domain({ tlds: { allow: true } })
+            .validate(domain);
+
+        if (validation.error) {
+            // invalid domain name, can not create certificate
+            let err = new Error('${domain} is not a valid domain name');
+            err.responseCode = 400;
+            err.code = 'invalid_domain';
+            throw err;
+        }
+
+        // check CAA support
+        const caaDomains = this.acmeOptions.caaDomains.map(normalizeDomain).filter(d => d);
+
+        // CAA support in node 15+
+        if (typeof resolver.resolveCaa === 'function' && caaDomains.length) {
+            let parts = domain.split('.');
+            for (let i = 0; i < parts.length - 1; i++) {
+                let subdomain = parts.slice(i).join('.');
+                let caaRes;
+
+                try {
+                    caaRes = await resolver.resolveCaa(subdomain);
+                } catch (err) {
+                    // assume not found
+                }
+
+                if (caaRes && caaRes.length && !caaRes.some(r => caaDomains.includes(normalizeDomain(r && r.issue)))) {
+                    let err = new Error(`LE not listed in the CAA record for ${subdomain} (${domain})`);
+                    err.responseCode = 403;
+                    err.code = 'caa_mismatch';
+                    throw err;
+                } else if (caaRes && caaRes.length) {
+                    this.logger.trace({ msg: 'Found matching CAA record', subdomain, domain, caaRes });
+                    break;
+                }
+            }
+        }
+
+        return true;
+    }
+
+    async loadCertificateData(domain) {
+        let dataKey = `domain:${domain}:data`;
+        let lastCheckKey = `domain:${domain}:lastCheck`;
+        let privateKeyKey = `domain:${domain}:privateKey`;
+        let lastErrorKey = `domain:${domain}:lastError`;
+        let versionKey = `domain:${domain}:certVersion`;
+
+        let data = await this.settings.get([dataKey, lastCheckKey, privateKeyKey, lastErrorKey]);
+        let certVersion = await this.redis.hget(this.settings.getKey('settings'), versionKey);
+
+        if (!data[dataKey]) {
+            return false;
+        }
+
+        return Object.assign(data[dataKey], {
+            lastCheck: data[lastCheckKey] || null,
+            privateKey: data[privateKeyKey] ? await this.decryptFn(data[privateKeyKey]) : null,
+            lastError: data[lastErrorKey] || null,
+            certVersion: Number(certVersion) || null
+        });
+    }
+
+    async setCertificateData(domain, updates) {
+        updates = updates || {};
+
+        let dataKey = `domain:${domain}:data`;
+        let lastCheckKey = `domain:${domain}:lastCheck`;
+        let privateKeyKey = `domain:${domain}:privateKey`;
+        let lastErrorKey = `domain:${domain}:lastError`;
+        let versionKey = `domain:${domain}:certVersion`;
+
+        let values = {};
+
+        let incrVersion = !!updates.cert;
+
+        if ('privateKey' in updates) {
+            values[privateKeyKey] = await this.encryptFn(updates.privateKey);
+            delete updates.privateKey;
+        }
+
+        if ('lastCheck' in updates) {
+            values[lastCheckKey] = updates.lastCheck;
+            delete updates.lastCheck;
+        }
+
+        if ('lastError' in updates) {
+            values[lastErrorKey] = updates.lastError;
+            delete updates.lastError;
+        }
+
+        if ('certVersion' in updates) {
+            delete updates.certVersion;
+        }
+
+        if (Object.keys(updates).length) {
+            let currendData = await this.settings.get(dataKey);
+            values[dataKey] = Object.assign(currendData || {}, updates);
+        }
+
+        if (incrVersion) {
+            await this.redis.hincrby(this.settings.getKey('settings'), versionKey, 1);
+        }
+
+        if (Object.keys(values).length) {
+            return await this.settings.set(values);
+        }
+    }
+
+    async acquireCert(domain) {
+        domain = normalizeDomain(domain);
+
+        const domainSafeLockKey = this.getKey(`lock:safe:${domain}`);
+        const domainOpLockKey = this.getKey(`lock:op:${domain}`);
+
+        let existingCertificateData = await this.loadCertificateData(domain);
+
+        if (await this.redis.exists(domainSafeLockKey)) {
+            // nothing to do here, renewal blocked
+            this.logger.info({ msg: 'Renewal blocked by failsafe lock', domain, lock: domainSafeLockKey });
+
+            // use default
+            return existingCertificateData;
+        }
+
+        try {
+            // throws if can not validate domain
+            await this.validateDomain(domain);
+            this.logger.trace({ msg: 'Domain validation', domain });
+        } catch (err) {
+            this.logger.error({ msg: 'Failed to validate domain', domain, err });
+            return existingCertificateData;
+        }
+
+        let lock = await this.locking.waitAcquireLock(domainOpLockKey, 10 * 60 * 1000, 3 * 60 * 1000);
+        if (!lock.success) {
+            return existingCertificateData;
+        }
+
+        try {
+            // reload from db, maybe already renewed
+            if (existingCertificateData.validTo && existingCertificateData.validTo > new Date(Date.now() + RENEW_AFTER_REMAINING)) {
+                // no need to renew
+                return existingCertificateData;
+            }
+
+            let privateKey = existingCertificateData.privateKey;
+            if (!privateKey) {
+                // generate new key
+                this.logger.trace({ msg: 'Provision new private key', domain });
+                privateKey = await generateKey(this.acmeOptions.keyBits, this.acmeOptions.keyExponent);
+                await this.setCertificateData(domain, { domain, privateKey, status: 'pending', lastError: null });
+            }
+
+            const jwkPrivateKey = pem2jwk(privateKey);
+            const csr = await CSR.csr({
+                jwk: jwkPrivateKey,
+                domains: [domain],
+                encoding: 'pem'
+            });
+
+            const acmeAccount = await this.getAcmeAccount();
+            if (!acmeAccount) {
+                this.logger.error({ msg: 'Skip certificate renewal, acme account not found', domain });
+                return false;
+            }
+
+            const jwkAccount = pem2jwk(acmeAccount.privateKey);
+            const certificateOptions = {
+                account: acmeAccount.account,
+                accountKey: jwkAccount,
+                csr,
+                domains: [domain],
+                challenges: {
+                    'http-01': this.acmeChallenge
+                }
+            };
+
+            const aID = ((acmeAccount && acmeAccount.account && acmeAccount.account.key && acmeAccount.account.key.kid) || '').split('/acct/').pop();
+            this.logger.info({ msg: 'Generate ACME cert', domain, aID });
+            const cert = await this.acme.certificates.create(certificateOptions);
+            if (!cert || !cert.cert) {
+                this.logger.error({ msg: 'Failed to generate certificate. Empty response', domain });
+                return existingCertificateData;
+            }
+
+            this.logger.info({ msg: 'Received certificate from ACME', domain });
+
+            let now = new Date();
+            const parsed = parseCertificate(cert.cert);
+
+            let updates = Object.assign(parseCertificate(cert.cert), {
+                cert: cert.cert,
+                ca: [].concat(cert.chain || []),
+                lastCheck: now,
+                lastError: null,
+                status: 'valid'
+            });
+
+            await this.setCertificateData(domain, updates);
+            this.logger.info({ msg: 'Certificate successfully generated', domain, expires: parsed.validTo });
+            return await this.loadCertificateData(domain);
+        } catch (err) {
+            try {
+                await this.redis.multi().set(domainSafeLockKey, 1).expire(domainSafeLockKey, BLOCK_RENEW_AFTER_ERROR_TTL).exec();
+            } catch (err) {
+                this.logger.error({ msg: 'Redis call failed', domainSafeLockKey, domain, err });
+            }
+
+            this.logger.error({ msg: 'Failed to generate certificate', domain, err });
+
+            if (existingCertificateData) {
+                try {
+                    await this.setCertificateData(domain, {
+                        lastError: {
+                            err: err.message,
+                            code: err.code,
+                            time: new Date()
+                        }
+                    });
+                } catch (err) {
+                    this.logger.error({ msg: 'Failed to update certificate record', domain, err });
+                }
+            }
+
+            if (existingCertificateData && existingCertificateData.cert) {
+                // use existing certificate data if exists
+                return existingCertificateData;
+            }
+
+            throw err;
+        } finally {
+            try {
+                await this.locking.releaseLock(lock);
+            } catch (err) {
+                this.logger.error({ msg: 'Failed to release lock', domainOpLockKey, err });
+            }
+        }
+    }
+
+    async routeHandler(domain, token) {
+        const schema = Joi.object().keys({
+            domain: Joi.string().domain({ tlds: { allow: true } }),
+            token: Joi.string().empty('').max(256).required()
+        });
+
+        const result = schema.validate(
+            { domain, token },
+            {
+                abortEarly: false,
+                convert: true,
+                allowUnknown: true
+            }
+        );
+
+        if (result.error) {
+            let err = new Error(result.error.message);
+            err.code = 'InputValidationError';
+            err.details = validationErrors(result);
+            err.responseCode = 400;
+            throw err;
+        }
+
+        let challenge;
+        try {
+            challenge = await this.acmeChallenge.get({
+                challenge: {
+                    token,
+                    identifier: {
+                        value: domain
+                    }
+                }
+            });
+        } catch (err) {
+            this.logger.error({ msg: `Error verifying challenge`, domain, token, err });
+
+            let resErr = new Error(`Failed to verify authentication token`);
+            err.code = 'ChallengeFail';
+            resErr.responseCode = 500;
+            throw resErr;
+        }
+
+        if (!challenge || !challenge.keyAuthorization) {
+            this.logger.error({ msg: `Unknown challenge`, domain, token });
+
+            let err = new Error(`Unknown challenge`);
+            err.code = 'ChallengeNotFound';
+            err.responseCode = 404;
+            throw err;
+        }
+
+        return challenge.keyAuthorization;
+    }
+
+    async getCertificate(domain) {
+        domain = normalizeDomain(domain);
+        let certificateData = await this.loadCertificateData(domain);
+        if (certificateData && certificateData.status === 'valid' && certificateData.validTo && certificateData.validTo >= new Date()) {
+            return certificateData;
+        }
+
+        return await this.acquireCert(domain);
+    }
+}
+
+module.exports = { Certs };

package/lib/settings.js

@@ -0,0 +1,81 @@
+'use strict';
+
+const msgpack = require('msgpack5')();
+
+class Settings {
+    static create(options = {}) {
+        return new Settings(options);
+    }
+
+    constructor(options) {
+        this.options = options;
+        const { redis, namespace } = this.options;
+        this.redis = redis;
+
+        this.namespace = namespace;
+        this.ns = namespace ? `${namespace}:` : '';
+    }
+
+    getKey(name) {
+        return `${this.ns}certs:${name}`;
+    }
+
+    async set(...args) {
+        let settingsKey = this.getKey('settings');
+
+        let props = false;
+
+        if (args.length === 1 && typeof args[0] === 'object' && args[0]) {
+            props = {};
+            for (let key of Object.keys(args[0])) {
+                props[key] = msgpack.encode(args[0][key]);
+            }
+        } else if (args.length === 2 && typeof args[0] === 'string') {
+            props = {
+                [args[0]]: msgpack.encode(args[1])
+            };
+        } else {
+            return false;
+        }
+
+        return (await this.redis.hmset(settingsKey, props)) === 'OK';
+    }
+
+    async get(...args) {
+        let settingsKey = this.getKey('settings');
+
+        let keys = args.flatMap(arg => arg);
+        let list = await this.redis.hmgetBuffer(settingsKey, keys);
+
+        let data = {};
+        for (let i = 0; i < list.length; i++) {
+            try {
+                let key = keys[i];
+                data[key] = msgpack.decode(list[i]);
+            } catch (err) {
+                // ignore?
+            }
+        }
+
+        if (keys.length === 1) {
+            return data[keys[0]];
+        }
+
+        return data;
+    }
+
+    async delete(...args) {
+        let settingsKey = this.getKey('settings');
+
+        let keys = args.flatMap(arg => arg);
+
+        return await this.redis.hdel(settingsKey, ...keys);
+    }
+
+    async has(key) {
+        let settingsKey = this.getKey('settings');
+        return await this.redis.hexists(settingsKey, key);
+    }
+}
+
+module.exports = { Settings };

package/lib/tools.js

@@ -0,0 +1,75 @@
+'use strict';
+
+const punycode = require('punycode/');
+const crypto = require('crypto');
+const { promisify } = require('util');
+const generateKeyPair = promisify(crypto.generateKeyPair);
+
+module.exports = {
+    normalizeDomain(domain) {
+        domain = (domain || '').toLowerCase().trim();
+        try {
+            if (/^xn--/.test(domain)) {
+                domain = punycode.toUnicode(domain).normalize('NFC').toLowerCase().trim();
+            }
+        } catch (E) {
+            // ignore
+        }
+
+        return domain;
+    },
+
+    async generateKey(keyBits, keyExponent, opts) {
+        opts = opts || {};
+        const { privateKey /*, publicKey */ } = await generateKeyPair('rsa', {
+            modulusLength: keyBits || 2048, // options
+            publicExponent: keyExponent || 65537,
+            publicKeyEncoding: {
+                type: opts.publicKeyEncoding || 'spki',
+                format: 'pem'
+            },
+            privateKeyEncoding: {
+                // jwk functions fail on other encodings (eg. pkcs8)
+                type: opts.privateKeyEncoding || 'pkcs1',
+                format: 'pem'
+            }
+        });
+
+        return privateKey;
+    },
+
+    parseCertificate(cert) {
+        const parseNames = x509 => {
+            let input = []
+                .concat(x509.subject || [])
+                .concat(x509.subjectAltName || [])
+                .join(', ');
+            let names = new Set();
+            input.replace(/(CN=|DNS:)([^,\s]+)/gi, (o, p, name) => {
+                names.add(module.exports.normalizeDomain(name));
+            });
+            return Array.from(names);
+        };
+
+        let x509 = new crypto.X509Certificate(cert);
+        return {
+            serialNumber: x509.serialNumber,
+            fingerprint: x509.fingerprint,
+            altNames: parseNames(x509),
+            validFrom: new Date(x509.validFrom),
+            validTo: new Date(x509.validTo)
+        };
+    },
+
+    validationErrors(validationResult) {
+        const errors = {};
+        if (validationResult.error && validationResult.error.details) {
+            validationResult.error.details.forEach(detail => {
+                if (!errors[detail.path]) {
+                    errors[detail.path] = detail.message;
+                }
+            });
+        }
+        return errors;
+    }
+};

package/package.json

@@ -0,0 +1,31 @@
+{
+    "name": "@postalsys/certs",
+    "version": "1.0.0",
+    "description": "Manage Let's Encrypt certificates",
+    "main": "lib/certs.js",
+    "scripts": {
+        "test": "echo \"Error: no test specified\" && exit 1"
+    },
+    "keywords": [],
+    "author": {
+        "name": "Postal Systems OÜ",
+        "email": "acme@postalsys.com"
+    },
+    "license": "ISC",
+    "devDependencies": {
+        "eslint-config-nodemailer": "1.2.0",
+        "eslint-config-prettier": "8.5.0",
+        "express": "4.18.1",
+        "ioredis": "5.0.6"
+    },
+    "dependencies": {
+        "@root/acme": "3.1.0",
+        "ioredfour": "1.2.0-ioredis-06",
+        "joi": "17.6.0",
+        "msgpack5": "6.0.1",
+        "pem-jwk": "2.0.0",
+        "pino": "8.1.0",
+        "punycode": "2.1.1",
+        "uuid": "8.3.2"
+    }
+}