@push.rocks/smartproxy 22.4.2 → 23.0.0

package/ts/proxies/smart-proxy/certificate-manager.ts

@@ -1,895 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { HttpProxy } from '../http-proxy/index.js';
-import type { IRouteConfig, IRouteTls } from './models/route-types.js';
-import type { IAcmeOptions } from './models/interfaces.js';
-import { CertStore } from './cert-store.js';
-import type { AcmeStateManager } from './acme-state-manager.js';
-import { logger } from '../../core/utils/logger.js';
-import { SocketHandlers } from './utils/route-helpers.js';
-
-export interface ICertStatus {
-  domain: string;
-  status: 'valid' | 'pending' | 'expired' | 'error';
-  expiryDate?: Date;
-  issueDate?: Date;
-  source: 'static' | 'acme' | 'custom';
-  error?: string;
-}
-
-export interface ICertificateData {
-  cert: string;
-  key: string;
-  ca?: string;
-  expiryDate: Date;
-  issueDate: Date;
-  source?: 'static' | 'acme' | 'custom';
-}
-
-export class SmartCertManager {
-  private certStore: CertStore;
-  private smartAcme: plugins.smartacme.SmartAcme | null = null;
-  private httpProxy: HttpProxy | null = null;
-  private renewalTimer: NodeJS.Timeout | null = null;
-  private pendingChallenges: Map<string, string> = new Map();
-  private challengeRoute: IRouteConfig | null = null;
-  
-  // Track certificate status by route name
-  private certStatus: Map<string, ICertStatus> = new Map();
-  
-  // Global ACME defaults from top-level configuration
-  private globalAcmeDefaults: IAcmeOptions | null = null;
-  
-  // Callback to update SmartProxy routes for challenges
-  private updateRoutesCallback?: (routes: IRouteConfig[]) => Promise<void>;
-  
-  // Flag to track if challenge route is currently active
-  private challengeRouteActive: boolean = false;
-  
-  // Flag to track if provisioning is in progress
-  private isProvisioning: boolean = false;
-  
-  // ACME state manager reference
-  private acmeStateManager: AcmeStateManager | null = null;
-  
-  // Custom certificate provision function
-  private certProvisionFunction?: (domain: string) => Promise<plugins.tsclass.network.ICert | 'http01'>;
-  
-  // Whether to fallback to ACME if custom provision fails
-  private certProvisionFallbackToAcme: boolean = true;
-  
-  constructor(
-    private routes: IRouteConfig[],
-    private certDir: string = './certs',
-    private acmeOptions?: {
-      email?: string;
-      useProduction?: boolean;
-      port?: number;
-    },
-    private initialState?: {
-      challengeRouteActive?: boolean;
-    }
-  ) {
-    this.certStore = new CertStore(certDir);
-    
-    // Apply initial state if provided
-    if (initialState) {
-      this.challengeRouteActive = initialState.challengeRouteActive || false;
-    }
-  }
-  
-  public setHttpProxy(httpProxy: HttpProxy): void {
-    this.httpProxy = httpProxy;
-  }
-  
-  
-  /**
-   * Set the ACME state manager
-   */
-  public setAcmeStateManager(stateManager: AcmeStateManager): void {
-    this.acmeStateManager = stateManager;
-  }
-  
-  /**
-   * Set global ACME defaults from top-level configuration
-   */
-  public setGlobalAcmeDefaults(defaults: IAcmeOptions): void {
-    this.globalAcmeDefaults = defaults;
-  }
-  
-  /**
-   * Set custom certificate provision function
-   */
-  public setCertProvisionFunction(fn: (domain: string) => Promise<plugins.tsclass.network.ICert | 'http01'>): void {
-    this.certProvisionFunction = fn;
-  }
-  
-  /**
-   * Set whether to fallback to ACME if custom provision fails
-   */
-  public setCertProvisionFallbackToAcme(fallback: boolean): void {
-    this.certProvisionFallbackToAcme = fallback;
-  }
-  
-  /**
-   * Update the routes array to keep it in sync with SmartProxy
-   * This prevents stale route data when adding/removing challenge routes
-   */
-  public setRoutes(routes: IRouteConfig[]): void {
-    this.routes = routes;
-  }
-  
-  /**
-   * Set callback for updating routes (used for challenge routes)
-   */
-  public setUpdateRoutesCallback(callback: (routes: IRouteConfig[]) => Promise<void>): void {
-    this.updateRoutesCallback = callback;
-    try {
-      logger.log('debug', 'Route update callback set successfully', { component: 'certificate-manager' });
-    } catch (error) {
-      // Silently handle logging errors
-      console.log('[DEBUG] Route update callback set successfully');
-    }
-  }
-  
-  /**
-   * Initialize certificate manager and provision certificates for all routes
-   */
-  public async initialize(): Promise<void> {
-    // Create certificate directory if it doesn't exist
-    await this.certStore.initialize();
-    
-    // Initialize SmartAcme if we have any ACME routes
-    const hasAcmeRoutes = this.routes.some(r => 
-      r.action.tls?.certificate === 'auto'
-    );
-    
-    if (hasAcmeRoutes && this.acmeOptions?.email) {
-      // Create HTTP-01 challenge handler
-      const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
-      
-      // Set up challenge handler integration with our routing
-      this.setupChallengeHandler(http01Handler);
-      
-      // Create SmartAcme instance with built-in MemoryCertManager and HTTP-01 handler
-      this.smartAcme = new plugins.smartacme.SmartAcme({
-        accountEmail: this.acmeOptions.email,
-        environment: this.acmeOptions.useProduction ? 'production' : 'integration',
-        certManager: new plugins.smartacme.certmanagers.MemoryCertManager(),
-        challengeHandlers: [http01Handler]
-      });
-      
-      await this.smartAcme.start();
-      
-      // Add challenge route once at initialization if not already active
-      if (!this.challengeRouteActive) {
-        logger.log('info', 'Adding ACME challenge route during initialization', { component: 'certificate-manager' });
-        await this.addChallengeRoute();
-      } else {
-        logger.log('info', 'Challenge route already active from previous instance', { component: 'certificate-manager' });
-      }
-    }
-    
-    // Skip automatic certificate provisioning during initialization
-    // This will be called later after ports are listening
-    logger.log('info', 'Certificate manager initialized. Deferring certificate provisioning until after ports are listening.', { component: 'certificate-manager' });
-    
-    // Start renewal timer
-    this.startRenewalTimer();
-  }
-  
-  /**
-   * Provision certificates for all routes that need them
-   */
-  public async provisionAllCertificates(): Promise<void> {
-    const certRoutes = this.routes.filter(r => 
-      r.action.tls?.mode === 'terminate' || 
-      r.action.tls?.mode === 'terminate-and-reencrypt'
-    );
-    
-    // Set provisioning flag to prevent concurrent operations
-    this.isProvisioning = true;
-    
-    try {
-      for (const route of certRoutes) {
-        try {
-          await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
-        } catch (error) {
-          logger.log('error', `Failed to provision certificate for route ${route.name}`, { routeName: route.name, error, component: 'certificate-manager' });
-        }
-      }
-    } finally {
-      this.isProvisioning = false;
-    }
-  }
-  
-  /**
-   * Provision certificate for a single route
-   */
-  public async provisionCertificate(route: IRouteConfig, allowConcurrent: boolean = false): Promise<void> {
-    const tls = route.action.tls;
-    if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
-      return;
-    }
-    
-    // Check if provisioning is already in progress (prevent concurrent provisioning)
-    if (!allowConcurrent && this.isProvisioning) {
-      logger.log('info', `Certificate provisioning already in progress, skipping ${route.name}`, { routeName: route.name, component: 'certificate-manager' });
-      return;
-    }
-    
-    const domains = this.extractDomainsFromRoute(route);
-    if (domains.length === 0) {
-      logger.log('warn', `Route ${route.name} has TLS termination but no domains`, { routeName: route.name, component: 'certificate-manager' });
-      return;
-    }
-    
-    const primaryDomain = domains[0];
-    
-    if (tls.certificate === 'auto') {
-      // ACME certificate
-      await this.provisionAcmeCertificate(route, domains);
-    } else if (typeof tls.certificate === 'object') {
-      // Static certificate
-      await this.provisionStaticCertificate(route, primaryDomain, tls.certificate);
-    }
-  }
-  
-  /**
-   * Provision ACME certificate
-   */
-  private async provisionAcmeCertificate(
-    route: IRouteConfig, 
-    domains: string[]
-  ): Promise<void> {
-    const primaryDomain = domains[0];
-    const routeName = route.name || primaryDomain;
-    
-    // Check if we already have a valid certificate
-    const existingCert = await this.certStore.getCertificate(routeName);
-    if (existingCert && this.isCertificateValid(existingCert)) {
-      logger.log('info', `Using existing valid certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-      await this.applyCertificate(primaryDomain, existingCert);
-      this.updateCertStatus(routeName, 'valid', existingCert.source || 'acme', existingCert);
-      return;
-    }
-    
-    // Check for custom provision function first
-    if (this.certProvisionFunction) {
-      try {
-        logger.log('info', `Attempting custom certificate provision for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-        const result = await this.certProvisionFunction(primaryDomain);
-        
-        if (result === 'http01') {
-          logger.log('info', `Custom function returned 'http01', falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-          // Continue with existing ACME logic below
-        } else {
-          // Use custom certificate
-          const customCert = result as plugins.tsclass.network.ICert;
-          
-          // Convert to internal certificate format
-          const certData: ICertificateData = {
-            cert: customCert.publicKey,
-            key: customCert.privateKey,
-            ca: '',
-            issueDate: new Date(),
-            expiryDate: this.extractExpiryDate(customCert.publicKey),
-            source: 'custom'
-          };
-          
-          // Store and apply certificate
-          await this.certStore.saveCertificate(routeName, certData);
-          await this.applyCertificate(primaryDomain, certData);
-          this.updateCertStatus(routeName, 'valid', 'custom', certData);
-          
-          logger.log('info', `Custom certificate applied for ${primaryDomain}`, { 
-            domain: primaryDomain,
-            expiryDate: certData.expiryDate,
-            component: 'certificate-manager'
-          });
-          return;
-        }
-      } catch (error) {
-        logger.log('error', `Custom cert provision failed for ${primaryDomain}: ${error.message}`, {
-          domain: primaryDomain,
-          error: error.message,
-          component: 'certificate-manager'
-        });
-        // Check if we should fallback to ACME
-        if (!this.certProvisionFallbackToAcme) {
-          throw error;
-        }
-        logger.log('info', `Falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-      }
-    }
-    
-    if (!this.smartAcme) {
-      throw new Error(
-        'SmartAcme not initialized. This usually means no ACME email was provided. ' +
-        'Please ensure you have configured ACME with an email address either:\n' +
-        '1. In the top-level "acme" configuration\n' +
-        '2. In the route\'s "tls.acme" configuration'
-      );
-    }
-    
-    // Apply renewal threshold from global defaults or route config
-    const renewThreshold = route.action.tls?.acme?.renewBeforeDays || 
-                         this.globalAcmeDefaults?.renewThresholdDays || 
-                         30;
-    
-    logger.log('info', `Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`, { domains: domains.join(', '), renewThreshold, component: 'certificate-manager' });
-    this.updateCertStatus(routeName, 'pending', 'acme');
-    
-    try {
-      // Challenge route should already be active from initialization
-      // No need to add it for each certificate
-      
-      // Determine if we should request a wildcard certificate
-      // Only request wildcards if:
-      // 1. The primary domain is not already a wildcard
-      // 2. The domain has multiple parts (can have subdomains)
-      // 3. We have DNS-01 challenge support (required for wildcards)
-      const hasDnsChallenge = (this.smartAcme as any).challengeHandlers?.some((handler: any) => 
-        handler.getSupportedTypes && handler.getSupportedTypes().includes('dns-01')
-      );
-      
-      const shouldIncludeWildcard = !primaryDomain.startsWith('*.') && 
-                                    primaryDomain.includes('.') && 
-                                    primaryDomain.split('.').length >= 2 &&
-                                    hasDnsChallenge;
-      
-      if (shouldIncludeWildcard) {
-        logger.log('info', `Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`, { domain: primaryDomain, challengeType: 'DNS-01', component: 'certificate-manager' });
-      }
-      
-      // Use smartacme to get certificate with optional wildcard
-      const cert = await this.smartAcme.getCertificateForDomain(
-        primaryDomain,
-        shouldIncludeWildcard ? { includeWildcard: true } : undefined
-      );
-    
-      // SmartAcme's Cert object has these properties:
-      // - publicKey: The certificate PEM string  
-      // - privateKey: The private key PEM string
-      // - csr: Certificate signing request
-      // - validUntil: Timestamp in milliseconds
-      // - domainName: The domain name
-      const certData: ICertificateData = {
-        cert: cert.publicKey,
-        key: cert.privateKey, 
-        ca: cert.publicKey, // Use same as cert for now
-        expiryDate: new Date(cert.validUntil),
-        issueDate: new Date(cert.created),
-        source: 'acme'
-      };
-      
-      await this.certStore.saveCertificate(routeName, certData);
-      await this.applyCertificate(primaryDomain, certData);
-      this.updateCertStatus(routeName, 'valid', 'acme', certData);
-      
-      logger.log('info', `Successfully provisioned ACME certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-    } catch (error) {
-      logger.log('error', `Failed to provision ACME certificate for ${primaryDomain}: ${error.message}`, { domain: primaryDomain, error: error.message, component: 'certificate-manager' });
-      this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
-      throw error;
-    }
-  }
-  
-  /**
-   * Provision static certificate
-   */
-  private async provisionStaticCertificate(
-    route: IRouteConfig,
-    domain: string,
-    certConfig: { key: string; cert: string; keyFile?: string; certFile?: string }
-  ): Promise<void> {
-    const routeName = route.name || domain;
-    
-    try {
-      let key: string = certConfig.key;
-      let cert: string = certConfig.cert;
-      
-      // Load from files if paths are provided
-      const smartFileFactory = plugins.smartfile.SmartFileFactory.nodeFs();
-      if (certConfig.keyFile) {
-        const keyFile = await smartFileFactory.fromFilePath(certConfig.keyFile);
-        key = keyFile.contents.toString();
-      }
-      if (certConfig.certFile) {
-        const certFile = await smartFileFactory.fromFilePath(certConfig.certFile);
-        cert = certFile.contents.toString();
-      }
-      
-      // Parse certificate to get dates
-      const expiryDate = this.extractExpiryDate(cert);
-      const issueDate = new Date(); // Current date as issue date
-      
-      const certData: ICertificateData = {
-        cert,
-        key,
-        expiryDate,
-        issueDate,
-        source: 'static'
-      };
-      
-      // Save to store for consistency
-      await this.certStore.saveCertificate(routeName, certData);
-      await this.applyCertificate(domain, certData);
-      this.updateCertStatus(routeName, 'valid', 'static', certData);
-      
-      logger.log('info', `Successfully loaded static certificate for ${domain}`, { domain, component: 'certificate-manager' });
-    } catch (error) {
-      logger.log('error', `Failed to provision static certificate for ${domain}: ${error.message}`, { domain, error: error.message, component: 'certificate-manager' });
-      this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
-      throw error;
-    }
-  }
-  
-  /**
-   * Apply certificate to HttpProxy
-   */
-  private async applyCertificate(domain: string, certData: ICertificateData): Promise<void> {
-    if (!this.httpProxy) {
-      logger.log('warn', `HttpProxy not set, cannot apply certificate for domain ${domain}`, { domain, component: 'certificate-manager' });
-      return;
-    }
-    
-    // Apply certificate to HttpProxy
-    this.httpProxy.updateCertificate(domain, certData.cert, certData.key);
-    
-    // Also apply for wildcard if it's a subdomain
-    if (domain.includes('.') && !domain.startsWith('*.')) {
-      const parts = domain.split('.');
-      if (parts.length >= 2) {
-        const wildcardDomain = `*.${parts.slice(-2).join('.')}`;
-        this.httpProxy.updateCertificate(wildcardDomain, certData.cert, certData.key);
-      }
-    }
-  }
-  
-  /**
-   * Extract domains from route configuration
-   */
-  private extractDomainsFromRoute(route: IRouteConfig): string[] {
-    if (!route.match.domains) {
-      return [];
-    }
-    
-    const domains = Array.isArray(route.match.domains) 
-      ? route.match.domains 
-      : [route.match.domains];
-    
-    // Filter out wildcards and patterns
-    return domains.filter(d => 
-      !d.includes('*') && 
-      !d.includes('{') && 
-      d.includes('.')
-    );
-  }
-  
-  /**
-   * Check if certificate is valid
-   */
-  private isCertificateValid(cert: ICertificateData): boolean {
-    const now = new Date();
-    
-    // Use renewal threshold from global defaults or fallback to 30 days
-    const renewThresholdDays = this.globalAcmeDefaults?.renewThresholdDays || 30;
-    const expiryThreshold = new Date(now.getTime() + renewThresholdDays * 24 * 60 * 60 * 1000);
-    
-    return cert.expiryDate > expiryThreshold;
-  }
-  
-  /**
-   * Extract expiry date from a PEM certificate
-   */
-  private extractExpiryDate(_certPem: string): Date {
-    // For now, we'll default to 90 days for custom certificates
-    // In production, you might want to use a proper X.509 parser
-    // or require the custom cert provider to include expiry info
-    logger.log('info', 'Using default 90-day expiry for custom certificate', {
-      component: 'certificate-manager'
-    });
-    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);
-  }
-  
-  
-  /**
-   * Add challenge route to SmartProxy
-   * 
-   * This method adds a special route for ACME HTTP-01 challenges, which typically uses port 80.
-   * Since we may already be listening on port 80 for regular routes, we need to be
-   * careful about how we add this route to avoid binding conflicts.
-   */
-  private async addChallengeRoute(): Promise<void> {
-    // Check with state manager first - avoid duplication
-    if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
-      try {
-        logger.log('info', 'Challenge route already active in global state, skipping', { component: 'certificate-manager' });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log('[INFO] Challenge route already active in global state, skipping');
-      }
-      this.challengeRouteActive = true;
-      return;
-    }
-    
-    if (this.challengeRouteActive) {
-      try {
-        logger.log('info', 'Challenge route already active locally, skipping', { component: 'certificate-manager' });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log('[INFO] Challenge route already active locally, skipping');
-      }
-      return;
-    }
-    
-    if (!this.updateRoutesCallback) {
-      throw new Error('No route update callback set');
-    }
-    
-    if (!this.challengeRoute) {
-      throw new Error('Challenge route not initialized');
-    }
-
-    // Get the challenge port
-    const challengePort = this.globalAcmeDefaults?.port || 80;
-    
-    // Check if any existing routes are already using this port
-    // This helps us determine if we need to create a new binding or can reuse existing one
-    const portInUseByRoutes = this.routes.some(route => {
-      const routePorts = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
-      return routePorts.some(p => {
-        // Handle both number and port range objects
-        if (typeof p === 'number') {
-          return p === challengePort;
-        } else if (typeof p === 'object' && 'from' in p && 'to' in p) {
-          // Port range case - check if challengePort is in range
-          return challengePort >= p.from && challengePort <= p.to;
-        }
-        return false;
-      });
-    });
-
-    try {
-      // Log whether port is already in use by other routes
-      if (portInUseByRoutes) {
-        try {
-          logger.log('info', `Port ${challengePort} is already used by another route, merging ACME challenge route`, {
-            port: challengePort,
-            component: 'certificate-manager'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Port ${challengePort} is already used by another route, merging ACME challenge route`);
-        }
-      } else {
-        try {
-          logger.log('info', `Adding new ACME challenge route on port ${challengePort}`, {
-            port: challengePort,
-            component: 'certificate-manager'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Adding new ACME challenge route on port ${challengePort}`);
-        }
-      }
-      
-      // Add the challenge route to the existing routes
-      const challengeRoute = this.challengeRoute;
-      const updatedRoutes = [...this.routes, challengeRoute];
-      
-      // With the re-ordering of start(), port binding should already be done
-      // This updateRoutes call should just add the route without binding again
-      await this.updateRoutesCallback(updatedRoutes);
-      // Keep local routes in sync after updating
-      this.routes = updatedRoutes;
-      this.challengeRouteActive = true;
-      
-      // Register with state manager
-      if (this.acmeStateManager) {
-        this.acmeStateManager.addChallengeRoute(challengeRoute);
-      }
-      
-      try {
-        logger.log('info', 'ACME challenge route successfully added', { component: 'certificate-manager' });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log('[INFO] ACME challenge route successfully added');
-      }
-    } catch (error) {
-      // Enhanced error handling based on error type
-      if ((error as any).code === 'EADDRINUSE') {
-        try {
-          logger.log('warn', `Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`, { 
-            port: challengePort,
-            error: (error as Error).message,
-            component: 'certificate-manager'
-          });
-        } catch (logError) {
-          // Silently handle logging errors
-          console.log(`[WARN] Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`);
-        }
-        
-        // Provide a more informative and actionable error message
-        throw new Error(
-          `ACME HTTP-01 challenge port ${challengePort} is already in use by another process. ` + 
-          `Please configure a different port using the acme.port setting (e.g., 8080).`
-        );
-      } else if (error.message && error.message.includes('EADDRINUSE')) {
-        // Some Node.js versions embed the error code in the message rather than the code property
-        try {
-          logger.log('warn', `Port ${challengePort} conflict detected: ${error.message}`, {
-            port: challengePort,
-            component: 'certificate-manager'
-          });
-        } catch (logError) {
-          // Silently handle logging errors
-          console.log(`[WARN] Port ${challengePort} conflict detected: ${error.message}`);
-        }
-        
-        // More detailed error message with suggestions
-        throw new Error(
-          `ACME HTTP challenge port ${challengePort} conflict detected. ` +
-          `To resolve this issue, try one of these approaches:\n` +
-          `1. Configure a different port in ACME settings (acme.port)\n` +
-          `2. Add a regular route that uses port ${challengePort} before initializing the certificate manager\n` +
-          `3. Stop any other services that might be using port ${challengePort}`
-        );
-      }
-      
-      // Log and rethrow other types of errors
-      try {
-        logger.log('error', `Failed to add challenge route: ${(error as Error).message}`, { 
-          error: (error as Error).message, 
-          component: 'certificate-manager' 
-        });
-      } catch (logError) {
-        // Silently handle logging errors
-        console.log(`[ERROR] Failed to add challenge route: ${(error as Error).message}`);
-      }
-      throw error;
-    }
-  }
-  
-  /**
-   * Remove challenge route from SmartProxy
-   */
-  private async removeChallengeRoute(): Promise<void> {
-    if (!this.challengeRouteActive) {
-      try {
-        logger.log('info', 'Challenge route not active, skipping removal', { component: 'certificate-manager' });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log('[INFO] Challenge route not active, skipping removal');
-      }
-      return;
-    }
-    
-    if (!this.updateRoutesCallback) {
-      return;
-    }
-    
-    try {
-      const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
-      await this.updateRoutesCallback(filteredRoutes);
-      // Keep local routes in sync after updating
-      this.routes = filteredRoutes;
-      this.challengeRouteActive = false;
-      
-      // Remove from state manager
-      if (this.acmeStateManager) {
-        this.acmeStateManager.removeChallengeRoute('acme-challenge');
-      }
-      
-      try {
-        logger.log('info', 'ACME challenge route successfully removed', { component: 'certificate-manager' });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log('[INFO] ACME challenge route successfully removed');
-      }
-    } catch (error) {
-      try {
-        logger.log('error', `Failed to remove challenge route: ${error.message}`, { error: error.message, component: 'certificate-manager' });
-      } catch (logError) {
-        // Silently handle logging errors
-        console.log(`[ERROR] Failed to remove challenge route: ${error.message}`);
-      }
-      // Reset the flag even on error to avoid getting stuck
-      this.challengeRouteActive = false;
-      throw error;
-    }
-  }
-  
-  /**
-   * Start renewal timer
-   */
-  private startRenewalTimer(): void {
-    // Check for renewals every 12 hours
-    this.renewalTimer = setInterval(() => {
-      this.checkAndRenewCertificates();
-    }, 12 * 60 * 60 * 1000);
-    
-    // Unref the timer so it doesn't keep the process alive
-    if (this.renewalTimer.unref) {
-      this.renewalTimer.unref();
-    }
-    
-    // Also do an immediate check
-    this.checkAndRenewCertificates();
-  }
-  
-  /**
-   * Check and renew certificates that are expiring
-   */
-  private async checkAndRenewCertificates(): Promise<void> {
-    for (const route of this.routes) {
-      if (route.action.tls?.certificate === 'auto') {
-        const routeName = route.name || this.extractDomainsFromRoute(route)[0];
-        const cert = await this.certStore.getCertificate(routeName);
-        
-        if (cert && !this.isCertificateValid(cert)) {
-          logger.log('info', `Certificate for ${routeName} needs renewal`, { routeName, component: 'certificate-manager' });
-          try {
-            await this.provisionCertificate(route);
-          } catch (error) {
-            logger.log('error', `Failed to renew certificate for ${routeName}: ${error.message}`, { routeName, error: error.message, component: 'certificate-manager' });
-          }
-        }
-      }
-    }
-  }
-  
-  /**
-   * Update certificate status
-   */
-  private updateCertStatus(
-    routeName: string,
-    status: ICertStatus['status'],
-    source: ICertStatus['source'],
-    certData?: ICertificateData,
-    error?: string
-  ): void {
-    this.certStatus.set(routeName, {
-      domain: routeName,
-      status,
-      source,
-      expiryDate: certData?.expiryDate,
-      issueDate: certData?.issueDate,
-      error
-    });
-  }
-  
-  /**
-   * Get certificate status for a route
-   */
-  public getCertificateStatus(routeName: string): ICertStatus | undefined {
-    return this.certStatus.get(routeName);
-  }
-  
-  /**
-   * Force renewal of a certificate
-   */
-  public async renewCertificate(routeName: string): Promise<void> {
-    const route = this.routes.find(r => r.name === routeName);
-    if (!route) {
-      throw new Error(`Route ${routeName} not found`);
-    }
-    
-    // Remove existing certificate to force renewal
-    await this.certStore.deleteCertificate(routeName);
-    await this.provisionCertificate(route);
-  }
-  
-  /**
-   * Setup challenge handler integration with SmartProxy routing
-   */
-  private setupChallengeHandler(http01Handler: plugins.smartacme.handlers.Http01MemoryHandler): void {
-    // Use challenge port from global config or default to 80
-    const challengePort = this.globalAcmeDefaults?.port || 80;
-    
-    // Create a challenge route that delegates to SmartAcme's HTTP-01 handler
-    const challengeRoute: IRouteConfig = {
-      name: 'acme-challenge',
-      priority: 1000,  // High priority
-      match: {
-        ports: challengePort,
-        path: '/.well-known/acme-challenge/*'
-      },
-      action: {
-        type: 'socket-handler',
-        socketHandler: SocketHandlers.httpServer((req, res) => {
-          // Extract the token from the path
-          const token = req.url?.split('/').pop();
-          if (!token) {
-            res.status(404);
-            res.send('Not found');
-            return;
-          }
-          
-          // Create mock request/response objects for SmartAcme
-          let responseData: any = null;
-          const mockReq = {
-            url: req.url,
-            method: req.method,
-            headers: req.headers
-          };
-          
-          const mockRes = {
-            statusCode: 200,
-            setHeader: (name: string, value: string) => {},
-            end: (data: any) => {
-              responseData = data;
-            }
-          };
-          
-          // Use SmartAcme's handler
-          const handleAcme = () => {
-            http01Handler.handleRequest(mockReq as any, mockRes as any, () => {
-              // Not handled by ACME
-              res.status(404);
-              res.send('Not found');
-            });
-            
-            // Give it a moment to process, then send response
-            setTimeout(() => {
-              if (responseData) {
-                res.header('Content-Type', 'text/plain');
-                res.send(String(responseData));
-              } else {
-                res.status(404);
-                res.send('Not found');
-              }
-            }, 100);
-          };
-          
-          handleAcme();
-        })
-      }
-    };
-    
-    // Store the challenge route to add it when needed
-    this.challengeRoute = challengeRoute;
-  }
-  
-  /**
-   * Stop certificate manager
-   */
-  public async stop(): Promise<void> {
-    if (this.renewalTimer) {
-      clearInterval(this.renewalTimer);
-      this.renewalTimer = null;
-    }
-    
-    // Always remove challenge route on shutdown
-    if (this.challengeRoute) {
-      logger.log('info', 'Removing ACME challenge route during shutdown', { component: 'certificate-manager' });
-      await this.removeChallengeRoute();
-    }
-    
-    if (this.smartAcme) {
-      await this.smartAcme.stop();
-    }
-    
-    // Clear any pending challenges
-    if (this.pendingChallenges.size > 0) {
-      this.pendingChallenges.clear();
-    }
-  }
-  
-  /**
-   * Get ACME options (for recreating after route updates)
-   */
-  public getAcmeOptions(): { email?: string; useProduction?: boolean; port?: number } | undefined {
-    return this.acmeOptions;
-  }
-  
-  /**
-   * Get certificate manager state
-   */
-  public getState(): { challengeRouteActive: boolean } {
-    return {
-      challengeRouteActive: this.challengeRouteActive
-    };
-  }
-}
-