@push.rocks/smartproxy 7.1.2 → 10.0.0

package/ts/port80handler/classes.port80handler.ts

@@ -1,7 +1,30 @@
 import * as plugins from '../plugins.js';
 import { IncomingMessage, ServerResponse } from 'http';
-import * as fs from 'fs';
-import * as path from 'path';
+import { Port80HandlerEvents } from '../common/types.js';
+import type {
+  IForwardConfig,
+  IDomainOptions,
+  ICertificateData,
+  ICertificateFailure,
+  ICertificateExpiring,
+  IAcmeOptions
+} from '../common/types.js';
+// (fs and path I/O moved to CertProvisioner)
+// ACME HTTP-01 challenge handler storing tokens in memory (diskless)
+class DisklessHttp01Handler {
+  private storage: Map<string, string>;
+  constructor(storage: Map<string, string>) { this.storage = storage; }
+  public getSupportedTypes(): string[] { return ['http-01']; }
+  public async prepare(ch: any): Promise<void> {
+    this.storage.set(ch.token, ch.keyAuthorization);
+  }
+  public async verify(ch: any): Promise<void> {
+    return;
+  }
+  public async cleanup(ch: any): Promise<void> {
+    this.storage.delete(ch.token);
+  }
+}
 
 /**
  * Custom error classes for better error handling
@@ -31,24 +54,6 @@ export class ServerError extends Port80HandlerError {
   }
 }
 
-/**
- * Domain forwarding configuration
- */
-export interface IForwardConfig {
-  ip: string;
-  port: number;
-}
-
-/**
- * Domain configuration options
- */
-export interface IDomainOptions {
-  domainName: string;
-  sslRedirect: boolean;   // if true redirects the request to port 443
-  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
-  forward?: IForwardConfig; // forwards all http requests to that target
-  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
-}
 
 /**
  * Represents a domain configuration with certificate status information
@@ -59,8 +64,6 @@ interface IDomainCertificate {
   obtainingInProgress: boolean;
   certificate?: string;
   privateKey?: string;
-  challengeToken?: string;
-  challengeKeyAuthorization?: string;
   expiryDate?: Date;
   lastRenewalAttempt?: Date;
 }
@@ -68,59 +71,8 @@ interface IDomainCertificate {
 /**
  * Configuration options for the Port80Handler
  */
-interface IPort80HandlerOptions {
-  port?: number;
-  contactEmail?: string;
-  useProduction?: boolean;
-  renewThresholdDays?: number;
-  httpsRedirectPort?: number;
-  renewCheckIntervalHours?: number;
-  enabled?: boolean; // Whether ACME is enabled at all
-  autoRenew?: boolean; // Whether to automatically renew certificates
-  certificateStore?: string; // Directory to store certificates
-  skipConfiguredCerts?: boolean; // Skip domains that already have certificates
-}
+// Port80Handler options moved to common types
 
-/**
- * Certificate data that can be emitted via events or set from outside
- */
-export interface ICertificateData {
-  domain: string;
-  certificate: string;
-  privateKey: string;
-  expiryDate: Date;
-}
-
-/**
- * Events emitted by the Port80Handler
- */
-export enum Port80HandlerEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-  REQUEST_FORWARDED = 'request-forwarded',
-}
-
-/**
- * Certificate failure payload type
- */
-export interface ICertificateFailure {
-  domain: string;
-  error: string;
-  isRenewal: boolean;
-}
-
-/**
- * Certificate expiry payload type
- */
-export interface ICertificateExpiring {
-  domain: string;
-  expiryDate: Date;
-  daysRemaining: number;
-}
 
 /**
  * Port80Handler with ACME certificate management and request forwarding capabilities
@@ -128,18 +80,21 @@ export interface ICertificateExpiring {
  */
 export class Port80Handler extends plugins.EventEmitter {
   private domainCertificates: Map<string, IDomainCertificate>;
+  // In-memory storage for ACME HTTP-01 challenge tokens
+  private acmeHttp01Storage: Map<string, string> = new Map();
+  // SmartAcme instance for certificate management
+  private smartAcme: plugins.smartacme.SmartAcme | null = null;
   private server: plugins.http.Server | null = null;
-  private acmeClient: plugins.acme.Client | null = null;
-  private accountKey: string | null = null;
-  private renewalTimer: NodeJS.Timeout | null = null;
+  // Renewal scheduling is handled externally by SmartProxy
+  // (Removed internal renewal timer)
   private isShuttingDown: boolean = false;
-  private options: Required<IPort80HandlerOptions>;
+  private options: Required<IAcmeOptions>;
 
   /**
    * Creates a new Port80Handler
    * @param options Configuration options
    */
-  constructor(options: IPort80HandlerOptions = {}) {
+  constructor(options: IAcmeOptions = {}) {
     super();
     this.domainCertificates = new Map<string, IDomainCertificate>();
     
@@ -148,13 +103,14 @@ export class Port80Handler extends plugins.EventEmitter {
       port: options.port ?? 80,
       contactEmail: options.contactEmail ?? 'admin@example.com',
       useProduction: options.useProduction ?? false, // Safer default: staging
-      renewThresholdDays: options.renewThresholdDays ?? 10, // Changed to 10 days as per requirements
       httpsRedirectPort: options.httpsRedirectPort ?? 443,
-      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
       enabled: options.enabled ?? true, // Enable by default
-      autoRenew: options.autoRenew ?? true, // Auto-renew by default
-      certificateStore: options.certificateStore ?? './certs', // Default store location
-      skipConfiguredCerts: options.skipConfiguredCerts ?? false
+      certificateStore: options.certificateStore ?? './certs',
+      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
+      renewThresholdDays: options.renewThresholdDays ?? 30,
+      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
+      autoRenew: options.autoRenew ?? true,
+      domainForwards: options.domainForwards ?? []
     };
   }
 
@@ -175,13 +131,20 @@ export class Port80Handler extends plugins.EventEmitter {
       console.log('Port80Handler is disabled, skipping start');
       return;
     }
+    // Initialize SmartAcme for ACME challenge management (diskless HTTP handler)
+    if (this.options.enabled) {
+      this.smartAcme = new plugins.smartacme.SmartAcme({
+        accountEmail: this.options.contactEmail,
+        certManager: new plugins.smartacme.MemoryCertManager(),
+        environment: this.options.useProduction ? 'production' : 'integration',
+        challengeHandlers: [ new DisklessHttp01Handler(this.acmeHttp01Storage) ],
+        challengePriority: ['http-01'],
+      });
+      await this.smartAcme.start();
+    }
 
     return new Promise((resolve, reject) => {
       try {
-        // Load certificates from store if enabled
-        if (this.options.certificateStore) {
-          this.loadCertificatesFromStore();
-        }
         
         this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
         
@@ -197,7 +160,6 @@ export class Port80Handler extends plugins.EventEmitter {
         
         this.server.listen(this.options.port, () => {
           console.log(`Port80Handler is listening on port ${this.options.port}`);
-          this.startRenewalTimer();
           this.emit(Port80HandlerEvents.MANAGER_STARTED, this.options.port);
           
           // Start certificate process for domains with acmeMaintenance enabled
@@ -234,11 +196,6 @@ export class Port80Handler extends plugins.EventEmitter {
     
     this.isShuttingDown = true;
     
-    // Stop the renewal timer
-    if (this.renewalTimer) {
-      clearInterval(this.renewalTimer);
-      this.renewalTimer = null;
-    }
 
     return new Promise<void>((resolve) => {
       if (this.server) {
@@ -353,10 +310,7 @@ export class Port80Handler extends plugins.EventEmitter {
     
     console.log(`Certificate set for ${domain}`);
     
-    // Save certificate to store if enabled
-    if (this.options.certificateStore) {
-      this.saveCertificateToStore(domain, certificate, privateKey);
-    }
+    // (Persistence of certificates moved to CertProvisioner)
     
     // Emit certificate event
     this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, {
@@ -391,134 +345,7 @@ export class Port80Handler extends plugins.EventEmitter {
     };
   }
 
-  /**
-   * Saves a certificate to the filesystem store
-   * @param domain The domain for the certificate
-   * @param certificate The certificate (PEM format)
-   * @param privateKey The private key (PEM format)
-   * @private
-   */
-  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
-    // Skip if certificate store is not enabled
-    if (!this.options.certificateStore) return;
-    
-    try {
-      const storePath = this.options.certificateStore;
-      
-      // Ensure the directory exists
-      if (!fs.existsSync(storePath)) {
-        fs.mkdirSync(storePath, { recursive: true });
-        console.log(`Created certificate store directory: ${storePath}`);
-      }
-      
-      const certPath = path.join(storePath, `${domain}.cert.pem`);
-      const keyPath = path.join(storePath, `${domain}.key.pem`);
-      
-      // Write certificate and private key files
-      fs.writeFileSync(certPath, certificate);
-      fs.writeFileSync(keyPath, privateKey);
-      
-      // Set secure permissions for private key
-      try {
-        fs.chmodSync(keyPath, 0o600);
-      } catch (err) {
-        console.log(`Warning: Could not set secure permissions on ${keyPath}`);
-      }
-      
-      console.log(`Saved certificate for ${domain} to ${certPath}`);
-    } catch (err) {
-      console.error(`Error saving certificate for ${domain}:`, err);
-    }
-  }
 
-  /**
-   * Loads certificates from the certificate store
-   * @private
-   */
-  private loadCertificatesFromStore(): void {
-    if (!this.options.certificateStore) return;
-    
-    try {
-      const storePath = this.options.certificateStore;
-      
-      // Ensure the directory exists
-      if (!fs.existsSync(storePath)) {
-        fs.mkdirSync(storePath, { recursive: true });
-        console.log(`Created certificate store directory: ${storePath}`);
-        return;
-      }
-      
-      // Get list of certificate files
-      const files = fs.readdirSync(storePath);
-      const certFiles = files.filter(file => file.endsWith('.cert.pem'));
-      
-      // Load each certificate
-      for (const certFile of certFiles) {
-        const domain = certFile.replace('.cert.pem', '');
-        const keyFile = `${domain}.key.pem`;
-        
-        // Skip if key file doesn't exist
-        if (!files.includes(keyFile)) {
-          console.log(`Warning: Found certificate for ${domain} but no key file`);
-          continue;
-        }
-        
-        // Skip if we should skip configured certs
-        if (this.options.skipConfiguredCerts) {
-          const domainInfo = this.domainCertificates.get(domain);
-          if (domainInfo && domainInfo.certObtained) {
-            console.log(`Skipping already configured certificate for ${domain}`);
-            continue;
-          }
-        }
-        
-        // Load certificate and key
-        try {
-          const certificate = fs.readFileSync(path.join(storePath, certFile), 'utf8');
-          const privateKey = fs.readFileSync(path.join(storePath, keyFile), 'utf8');
-          
-          // Extract expiry date
-          let expiryDate: Date | undefined;
-          try {
-            const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-            if (matches && matches[1]) {
-              expiryDate = new Date(matches[1]);
-            }
-          } catch (err) {
-            console.log(`Warning: Could not extract expiry date from certificate for ${domain}`);
-          }
-          
-          // Check if domain is already registered
-          let domainInfo = this.domainCertificates.get(domain);
-          if (!domainInfo) {
-            // Register domain if not already registered
-            domainInfo = {
-              options: {
-                domainName: domain,
-                sslRedirect: true,
-                acmeMaintenance: true
-              },
-              certObtained: false,
-              obtainingInProgress: false
-            };
-            this.domainCertificates.set(domain, domainInfo);
-          }
-          
-          // Set certificate
-          domainInfo.certificate = certificate;
-          domainInfo.privateKey = privateKey;
-          domainInfo.certObtained = true;
-          domainInfo.expiryDate = expiryDate;
-          
-          console.log(`Loaded certificate for ${domain} from store, valid until ${expiryDate?.toISOString() || 'unknown'}`);
-        } catch (err) {
-          console.error(`Error loading certificate for ${domain}:`, err);
-        }
-      }
-    } catch (err) {
-      console.error('Error loading certificates from store:', err);
-    }
-  }
 
   /**
    * Check if a domain is a glob pattern
@@ -579,38 +406,6 @@ export class Port80Handler extends plugins.EventEmitter {
     }
   }
 
-  /**
-   * Lazy initialization of the ACME client
-   * @returns An ACME client instance
-   */
-  private async getAcmeClient(): Promise<plugins.acme.Client> {
-    if (this.acmeClient) {
-      return this.acmeClient;
-    }
-    
-    try {
-      // Generate a new account key
-      this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString();
-      
-      this.acmeClient = new plugins.acme.Client({
-        directoryUrl: this.options.useProduction 
-          ? plugins.acme.directory.letsencrypt.production 
-          : plugins.acme.directory.letsencrypt.staging,
-        accountKey: this.accountKey,
-      });
-      
-      // Create a new account
-      await this.acmeClient.createAccount({
-        termsOfServiceAgreed: true,
-        contact: [`mailto:${this.options.contactEmail}`],
-      });
-      
-      return this.acmeClient;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : 'Unknown error initializing ACME client';
-      throw new Port80HandlerError(`Failed to initialize ACME client: ${message}`);
-    }
-  }
 
   /**
    * Handles incoming HTTP requests
@@ -640,19 +435,32 @@ export class Port80Handler extends plugins.EventEmitter {
     const { domainInfo, pattern } = domainMatch;
     const options = domainInfo.options;
 
-    // If the request is for an ACME HTTP-01 challenge, handle it
-    if (req.url && req.url.startsWith('/.well-known/acme-challenge/') && (options.acmeMaintenance || options.acmeForward)) {
-      // Check if we should forward ACME requests
+    // Handle ACME HTTP-01 challenge requests or forwarding
+    if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
+      // Forward ACME requests if configured
       if (options.acmeForward) {
         this.forwardRequest(req, res, options.acmeForward, 'ACME challenge');
         return;
       }
-      
-      // Only handle ACME challenges for non-glob patterns
-      if (!this.isGlobPattern(pattern)) {
-        this.handleAcmeChallenge(req, res, domain);
+      // If not managing ACME for this domain, return 404
+      if (!options.acmeMaintenance) {
+        res.statusCode = 404;
+        res.end('Not found');
         return;
       }
+      // Serve challenge response from in-memory storage
+      const token = req.url.split('/').pop() || '';
+      const keyAuth = this.acmeHttp01Storage.get(token);
+      if (keyAuth) {
+        res.statusCode = 200;
+        res.setHeader('Content-Type', 'text/plain');
+        res.end(keyAuth);
+        console.log(`Served ACME challenge response for ${domain}`);
+      } else {
+        res.statusCode = 404;
+        res.end('Challenge token not found');
+      }
+      return;
     }
 
     // Check if we should forward non-ACME requests
@@ -762,292 +570,71 @@ export class Port80Handler extends plugins.EventEmitter {
     }
   }
 
-  /**
-   * Serves the ACME HTTP-01 challenge response
-   * @param req The HTTP request
-   * @param res The HTTP response
-   * @param domain The domain for the challenge
-   */
-  private handleAcmeChallenge(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, domain: string): void {
-    const domainInfo = this.domainCertificates.get(domain);
-    if (!domainInfo) {
-      res.statusCode = 404;
-      res.end('Domain not configured');
-      return;
-    }
-    
-    // The token is the last part of the URL
-    const urlParts = req.url?.split('/');
-    const token = urlParts ? urlParts[urlParts.length - 1] : '';
-    
-    if (domainInfo.challengeToken === token && domainInfo.challengeKeyAuthorization) {
-      res.statusCode = 200;
-      res.setHeader('Content-Type', 'text/plain');
-      res.end(domainInfo.challengeKeyAuthorization);
-      console.log(`Served ACME challenge response for ${domain}`);
-    } else {
-      res.statusCode = 404;
-      res.end('Challenge token not found');
-    }
-  }
 
   /**
    * Obtains a certificate for a domain using ACME HTTP-01 challenge
    * @param domain The domain to obtain a certificate for
    * @param isRenewal Whether this is a renewal attempt
    */
+  /**
+   * Obtains a certificate for a domain using SmartAcme HTTP-01 challenges
+   * @param domain The domain to obtain a certificate for
+   * @param isRenewal Whether this is a renewal attempt
+   */
   private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
-    // Don't allow certificate issuance for glob patterns
     if (this.isGlobPattern(domain)) {
       throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
     }
-    
-    // Get the domain info
-    const domainInfo = this.domainCertificates.get(domain);
-    if (!domainInfo) {
-      throw new CertificateError('Domain not found', domain, isRenewal);
-    }
-    
-    // Verify that acmeMaintenance is enabled
+    const domainInfo = this.domainCertificates.get(domain)!;
     if (!domainInfo.options.acmeMaintenance) {
       console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
       return;
     }
-    
-    // Prevent concurrent certificate issuance
     if (domainInfo.obtainingInProgress) {
       console.log(`Certificate issuance already in progress for ${domain}`);
       return;
     }
-    
+    if (!this.smartAcme) {
+      throw new Port80HandlerError('SmartAcme is not initialized');
+    }
     domainInfo.obtainingInProgress = true;
     domainInfo.lastRenewalAttempt = new Date();
-    
     try {
-      const client = await this.getAcmeClient();
-
-      // Create a new order for the domain
-      const order = await client.createOrder({
-        identifiers: [{ type: 'dns', value: domain }],
-      });
-
-      // Get the authorizations for the order
-      const authorizations = await client.getAuthorizations(order);
-      
-      // Process each authorization
-      await this.processAuthorizations(client, domain, authorizations);
-
-      // Generate a CSR and private key
-      const [csrBuffer, privateKeyBuffer] = await plugins.acme.forge.createCsr({
-        commonName: domain,
-      });
-      
-      const csr = csrBuffer.toString();
-      const privateKey = privateKeyBuffer.toString();
-
-      // Finalize the order with our CSR
-      await client.finalizeOrder(order, csr);
-      
-      // Get the certificate with the full chain
-      const certificate = await client.getCertificate(order);
-
-      // Store the certificate and key
+      // Request certificate via SmartAcme
+      const certObj = await this.smartAcme.getCertificateForDomain(domain);
+      const certificate = certObj.publicKey;
+      const privateKey = certObj.privateKey;
+      const expiryDate = new Date(certObj.validUntil);
       domainInfo.certificate = certificate;
       domainInfo.privateKey = privateKey;
       domainInfo.certObtained = true;
-      
-      // Clear challenge data
-      delete domainInfo.challengeToken;
-      delete domainInfo.challengeKeyAuthorization;
-      
-      // Extract expiry date from certificate
-      domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain);
+      domainInfo.expiryDate = expiryDate;
 
       console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
-      
-      // Save the certificate to the store if enabled
-      if (this.options.certificateStore) {
-        this.saveCertificateToStore(domain, certificate, privateKey);
-      }
-      
-      // Emit the appropriate event
-      const eventType = isRenewal 
-        ? Port80HandlerEvents.CERTIFICATE_RENEWED 
+      // Persistence moved to CertProvisioner
+      const eventType = isRenewal
+        ? Port80HandlerEvents.CERTIFICATE_RENEWED
         : Port80HandlerEvents.CERTIFICATE_ISSUED;
-      
       this.emitCertificateEvent(eventType, {
         domain,
         certificate,
         privateKey,
-        expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
+        expiryDate: expiryDate || this.getDefaultExpiryDate()
       });
-      
     } catch (error: any) {
-      // Check for rate limit errors
-      if (error.message && (
-        error.message.includes('rateLimited') || 
-        error.message.includes('too many certificates') || 
-        error.message.includes('rate limit')
-      )) {
-        console.error(`Rate limit reached for ${domain}. Waiting before retry.`);
-      } else {
-        console.error(`Error during certificate issuance for ${domain}:`, error);
-      }
-      
-      // Emit failure event
+      const errorMsg = error?.message || 'Unknown error';
+      console.error(`Error during certificate issuance for ${domain}:`, error);
       this.emit(Port80HandlerEvents.CERTIFICATE_FAILED, {
         domain,
-        error: error.message || 'Unknown error',
+        error: errorMsg,
         isRenewal
       } as ICertificateFailure);
-      
-      throw new CertificateError(
-        error.message || 'Certificate issuance failed',
-        domain,
-        isRenewal
-      );
+      throw new CertificateError(errorMsg, domain, isRenewal);
     } finally {
-      // Reset flag whether successful or not
       domainInfo.obtainingInProgress = false;
     }
   }
 
-  /**
-   * Process ACME authorizations by verifying and completing challenges
-   * @param client ACME client 
-   * @param domain Domain name
-   * @param authorizations Authorizations to process
-   */
-  private async processAuthorizations(
-    client: plugins.acme.Client,
-    domain: string,
-    authorizations: plugins.acme.Authorization[]
-  ): Promise<void> {
-    const domainInfo = this.domainCertificates.get(domain);
-    if (!domainInfo) {
-      throw new CertificateError('Domain not found during authorization', domain);
-    }
-    
-    for (const authz of authorizations) {
-      const challenge = authz.challenges.find(ch => ch.type === 'http-01');
-      if (!challenge) {
-        throw new CertificateError('HTTP-01 challenge not found', domain);
-      }
-      
-      // Get the key authorization for the challenge
-      const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
-      
-      // Store the challenge data
-      domainInfo.challengeToken = challenge.token;
-      domainInfo.challengeKeyAuthorization = keyAuthorization;
-
-      // ACME client type definition workaround - use compatible approach
-      // First check if challenge verification is needed
-      const authzUrl = authz.url;
-      
-      try {
-        // Check if authzUrl exists and perform verification
-        if (authzUrl) {
-          await client.verifyChallenge(authz, challenge);
-        }
-        
-        // Complete the challenge
-        await client.completeChallenge(challenge);
-        
-        // Wait for validation
-        await client.waitForValidStatus(challenge);
-        console.log(`HTTP-01 challenge completed for ${domain}`);
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown challenge error';
-        console.error(`Challenge error for ${domain}:`, error);
-        throw new CertificateError(`Challenge verification failed: ${errorMessage}`, domain);
-      }
-    }
-  }
-
-  /**
-   * Starts the certificate renewal timer
-   */
-  private startRenewalTimer(): void {
-    if (this.renewalTimer) {
-      clearInterval(this.renewalTimer);
-    }
-    
-    // Convert hours to milliseconds
-    const checkInterval = this.options.renewCheckIntervalHours * 60 * 60 * 1000;
-    
-    this.renewalTimer = setInterval(() => this.checkForRenewals(), checkInterval);
-    
-    // Prevent the timer from keeping the process alive
-    if (this.renewalTimer.unref) {
-      this.renewalTimer.unref();
-    }
-    
-    console.log(`Certificate renewal check scheduled every ${this.options.renewCheckIntervalHours} hours`);
-  }
-
-  /**
-   * Checks for certificates that need renewal
-   */
-  private checkForRenewals(): void {
-    if (this.isShuttingDown) {
-      return;
-    }
-    
-    // Skip renewal if auto-renewal is disabled
-    if (this.options.autoRenew === false) {
-      console.log('Auto-renewal is disabled, skipping certificate renewal check');
-      return;
-    }
-    
-    console.log('Checking for certificates that need renewal...');
-    
-    const now = new Date();
-    const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000;
-    
-    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-      // Skip glob patterns
-      if (this.isGlobPattern(domain)) {
-        continue;
-      }
-      
-      // Skip domains with acmeMaintenance disabled
-      if (!domainInfo.options.acmeMaintenance) {
-        continue;
-      }
-      
-      // Skip domains without certificates or already in renewal
-      if (!domainInfo.certObtained || domainInfo.obtainingInProgress) {
-        continue;
-      }
-      
-      // Skip domains without expiry dates
-      if (!domainInfo.expiryDate) {
-        continue;
-      }
-      
-      const timeUntilExpiry = domainInfo.expiryDate.getTime() - now.getTime();
-      
-      // Check if certificate is near expiry
-      if (timeUntilExpiry <= renewThresholdMs) {
-        console.log(`Certificate for ${domain} expires soon, renewing...`);
-        
-        const daysRemaining = Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000));
-        
-        this.emit(Port80HandlerEvents.CERTIFICATE_EXPIRING, {
-          domain,
-          expiryDate: domainInfo.expiryDate,
-          daysRemaining
-        } as ICertificateExpiring);
-        
-        // Start renewal process
-        this.obtainCertificate(domain, true).catch(err => {
-          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-          console.error(`Error renewing certificate for ${domain}:`, errorMessage);
-        });
-      }
-    }
-  }
   
   /**
    * Extract expiry date from certificate using a more robust approach
@@ -1173,7 +760,19 @@ export class Port80Handler extends plugins.EventEmitter {
    * Gets configuration details
    * @returns Current configuration
    */
-  public getConfig(): Required<IPort80HandlerOptions> {
+  public getConfig(): Required<IAcmeOptions> {
     return { ...this.options };
   }
+  
+  /**
+   * Request a certificate renewal for a specific domain.
+   * @param domain The domain to renew.
+   */
+  public async renewCertificate(domain: string): Promise<void> {
+    if (!this.domainCertificates.has(domain)) {
+      throw new Port80HandlerError(`Domain not managed: ${domain}`);
+    }
+    // Trigger renewal via ACME
+    await this.obtainCertificate(domain, true);
+  }
 }