npm - odac - Versions diffs - 0.9.0 - Mend

odac 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/.editorconfig +21 -0
package/.github/workflows/auto-pr-description.yml +49 -0
package/.github/workflows/release.yml +32 -0
package/.github/workflows/test-coverage.yml +58 -0
package/.husky/pre-commit +2 -0
package/.kiro/steering/code-style.md +56 -0
package/.kiro/steering/product.md +20 -0
package/.kiro/steering/structure.md +77 -0
package/.kiro/steering/tech.md +87 -0
package/.prettierrc +10 -0
package/.releaserc.js +134 -0
package/AGENTS.md +84 -0
package/CHANGELOG.md +181 -0
package/CODE_OF_CONDUCT.md +83 -0
package/CONTRIBUTING.md +63 -0
package/LICENSE +661 -0
package/README.md +57 -0
package/SECURITY.md +26 -0
package/bin/candy +10 -0
package/bin/candypack +10 -0
package/cli/index.js +3 -0
package/cli/src/Cli.js +348 -0
package/cli/src/Connector.js +93 -0
package/cli/src/Monitor.js +416 -0
package/core/Candy.js +87 -0
package/core/Commands.js +239 -0
package/core/Config.js +1094 -0
package/core/Lang.js +52 -0
package/core/Log.js +43 -0
package/core/Process.js +26 -0
package/docs/backend/01-overview/01-whats-in-the-candy-box.md +9 -0
package/docs/backend/01-overview/02-super-handy-helper-functions.md +9 -0
package/docs/backend/01-overview/03-development-server.md +79 -0
package/docs/backend/02-structure/01-typical-project-layout.md +39 -0
package/docs/backend/03-config/00-configuration-overview.md +214 -0
package/docs/backend/03-config/01-database-connection.md +60 -0
package/docs/backend/03-config/02-static-route-mapping-optional.md +20 -0
package/docs/backend/03-config/03-request-timeout.md +11 -0
package/docs/backend/03-config/04-environment-variables.md +227 -0
package/docs/backend/03-config/05-early-hints.md +352 -0
package/docs/backend/04-routing/01-basic-page-routes.md +28 -0
package/docs/backend/04-routing/02-controller-less-view-routes.md +43 -0
package/docs/backend/04-routing/03-api-and-data-routes.md +20 -0
package/docs/backend/04-routing/04-authentication-aware-routes.md +48 -0
package/docs/backend/04-routing/05-advanced-routing.md +14 -0
package/docs/backend/04-routing/06-error-pages.md +101 -0
package/docs/backend/04-routing/07-cron-jobs.md +149 -0
package/docs/backend/05-controllers/01-how-to-build-a-controller.md +17 -0
package/docs/backend/05-controllers/02-your-trusty-candy-assistant.md +20 -0
package/docs/backend/05-controllers/03-controller-classes.md +93 -0
package/docs/backend/05-forms/01-custom-forms.md +395 -0
package/docs/backend/05-forms/02-automatic-database-insert.md +297 -0
package/docs/backend/06-request-and-response/01-the-request-object-what-is-the-user-asking-for.md +96 -0
package/docs/backend/06-request-and-response/02-sending-a-response-replying-to-the-user.md +40 -0
package/docs/backend/07-views/01-the-view-directory.md +73 -0
package/docs/backend/07-views/02-rendering-a-view.md +179 -0
package/docs/backend/07-views/03-template-syntax.md +181 -0
package/docs/backend/07-views/03-variables.md +328 -0
package/docs/backend/07-views/04-request-data.md +231 -0
package/docs/backend/07-views/05-conditionals.md +290 -0
package/docs/backend/07-views/06-loops.md +353 -0
package/docs/backend/07-views/07-translations.md +358 -0
package/docs/backend/07-views/08-backend-javascript.md +398 -0
package/docs/backend/07-views/09-comments.md +297 -0
package/docs/backend/08-database/01-database-connection.md +99 -0
package/docs/backend/08-database/02-using-mysql.md +322 -0
package/docs/backend/09-validation/01-the-validator-service.md +424 -0
package/docs/backend/10-authentication/01-user-logins-with-authjs.md +53 -0
package/docs/backend/10-authentication/02-foiling-villains-with-csrf-protection.md +55 -0
package/docs/backend/10-authentication/03-register.md +134 -0
package/docs/backend/10-authentication/04-candy-register-forms.md +676 -0
package/docs/backend/10-authentication/05-session-management.md +159 -0
package/docs/backend/10-authentication/06-candy-login-forms.md +596 -0
package/docs/backend/11-mail/01-the-mail-service.md +42 -0
package/docs/backend/12-streaming/01-streaming-overview.md +300 -0
package/docs/backend/13-utilities/01-candy-var.md +504 -0
package/docs/frontend/01-overview/01-introduction.md +146 -0
package/docs/frontend/02-ajax-navigation/01-quick-start.md +608 -0
package/docs/frontend/02-ajax-navigation/02-configuration.md +370 -0
package/docs/frontend/02-ajax-navigation/03-advanced-usage.md +519 -0
package/docs/frontend/03-forms/01-form-handling.md +420 -0
package/docs/frontend/04-api-requests/01-get-post.md +443 -0
package/docs/frontend/05-streaming/01-client-streaming.md +163 -0
package/docs/index.json +452 -0
package/docs/server/01-installation/01-quick-install.md +19 -0
package/docs/server/01-installation/02-manual-installation-via-npm.md +9 -0
package/docs/server/02-get-started/01-core-concepts.md +7 -0
package/docs/server/02-get-started/02-basic-commands.md +57 -0
package/docs/server/02-get-started/03-cli-reference.md +276 -0
package/docs/server/02-get-started/04-cli-quick-reference.md +102 -0
package/docs/server/03-service/01-start-a-new-service.md +57 -0
package/docs/server/03-service/02-delete-a-service.md +48 -0
package/docs/server/04-web/01-create-a-website.md +36 -0
package/docs/server/04-web/02-list-websites.md +9 -0
package/docs/server/04-web/03-delete-a-website.md +29 -0
package/docs/server/05-subdomain/01-create-a-subdomain.md +32 -0
package/docs/server/05-subdomain/02-list-subdomains.md +33 -0
package/docs/server/05-subdomain/03-delete-a-subdomain.md +41 -0
package/docs/server/06-ssl/01-renew-an-ssl-certificate.md +34 -0
package/docs/server/07-mail/01-create-a-mail-account.md +23 -0
package/docs/server/07-mail/02-delete-a-mail-account.md +20 -0
package/docs/server/07-mail/03-list-mail-accounts.md +20 -0
package/docs/server/07-mail/04-change-account-password.md +23 -0
package/eslint.config.mjs +120 -0
package/framework/index.js +4 -0
package/framework/src/Auth.js +309 -0
package/framework/src/Candy.js +81 -0
package/framework/src/Config.js +79 -0
package/framework/src/Env.js +60 -0
package/framework/src/Lang.js +57 -0
package/framework/src/Mail.js +83 -0
package/framework/src/Mysql.js +575 -0
package/framework/src/Request.js +301 -0
package/framework/src/Route/Cron.js +128 -0
package/framework/src/Route/Internal.js +439 -0
package/framework/src/Route.js +455 -0
package/framework/src/Server.js +15 -0
package/framework/src/Stream.js +163 -0
package/framework/src/Token.js +37 -0
package/framework/src/Validator.js +271 -0
package/framework/src/Var.js +211 -0
package/framework/src/View/EarlyHints.js +190 -0
package/framework/src/View/Form.js +600 -0
package/framework/src/View.js +513 -0
package/framework/web/candy.js +838 -0
package/jest.config.js +22 -0
package/locale/de-DE.json +80 -0
package/locale/en-US.json +79 -0
package/locale/es-ES.json +80 -0
package/locale/fr-FR.json +80 -0
package/locale/pt-BR.json +80 -0
package/locale/ru-RU.json +80 -0
package/locale/tr-TR.json +85 -0
package/locale/zh-CN.json +80 -0
package/package.json +86 -0
package/server/index.js +5 -0
package/server/src/Api.js +88 -0
package/server/src/DNS.js +940 -0
package/server/src/Hub.js +535 -0
package/server/src/Mail.js +571 -0
package/server/src/SSL.js +180 -0
package/server/src/Server.js +27 -0
package/server/src/Service.js +248 -0
package/server/src/Subdomain.js +64 -0
package/server/src/Web/Firewall.js +170 -0
package/server/src/Web/Proxy.js +134 -0
package/server/src/Web.js +451 -0
package/server/src/mail/imap.js +1091 -0
package/server/src/mail/server.js +32 -0
package/server/src/mail/smtp.js +786 -0
package/test/cli/Cli.test.js +36 -0
package/test/core/Candy.test.js +234 -0
package/test/core/Commands.test.js +538 -0
package/test/core/Config.test.js +1435 -0
package/test/core/Lang.test.js +250 -0
package/test/core/Process.test.js +156 -0
package/test/framework/Route.test.js +239 -0
package/test/framework/View/EarlyHints.test.js +282 -0
package/test/scripts/check-coverage.js +132 -0
package/test/server/Api.test.js +647 -0
package/test/server/Client.test.js +338 -0
package/test/server/DNS.test.js +2050 -0
package/test/server/DNS.test.js.bak +2084 -0
package/test/server/Log.test.js +73 -0
package/test/server/Mail.account.test_.js +460 -0
package/test/server/Mail.init.test_.js +411 -0
package/test/server/Mail.test_.js +1340 -0
package/test/server/SSL.test_.js +1491 -0
package/test/server/Server.test.js +765 -0
package/test/server/Service.test_.js +1127 -0
package/test/server/Subdomain.test.js +440 -0
package/test/server/Web/Firewall.test.js +175 -0
package/test/server/Web.test_.js +1562 -0
package/test/server/__mocks__/acme-client.js +17 -0
package/test/server/__mocks__/bcrypt.js +50 -0
package/test/server/__mocks__/child_process.js +389 -0
package/test/server/__mocks__/crypto.js +432 -0
package/test/server/__mocks__/fs.js +450 -0
package/test/server/__mocks__/globalCandy.js +227 -0
package/test/server/__mocks__/http-proxy.js +105 -0
package/test/server/__mocks__/http.js +575 -0
package/test/server/__mocks__/https.js +272 -0
package/test/server/__mocks__/index.js +249 -0
package/test/server/__mocks__/mail/server.js +100 -0
package/test/server/__mocks__/mail/smtp.js +31 -0
package/test/server/__mocks__/mailparser.js +81 -0
package/test/server/__mocks__/net.js +369 -0
package/test/server/__mocks__/node-forge.js +328 -0
package/test/server/__mocks__/os.js +320 -0
package/test/server/__mocks__/path.js +291 -0
package/test/server/__mocks__/selfsigned.js +8 -0
package/test/server/__mocks__/server/src/mail/server.js +100 -0
package/test/server/__mocks__/server/src/mail/smtp.js +31 -0
package/test/server/__mocks__/smtp-server.js +106 -0
package/test/server/__mocks__/sqlite3.js +394 -0
package/test/server/__mocks__/testFactories.js +299 -0
package/test/server/__mocks__/testHelpers.js +363 -0
package/test/server/__mocks__/tls.js +229 -0
package/watchdog/index.js +3 -0
package/watchdog/src/Watchdog.js +156 -0
package/web/config.json +5 -0
package/web/controller/page/about.js +27 -0
package/web/controller/page/index.js +34 -0
package/web/package.json +18 -0
package/web/public/assets/css/style.css +1835 -0
package/web/public/assets/js/app.js +96 -0
package/web/route/www.js +19 -0
package/web/skeleton/main.html +22 -0
package/web/view/content/about.html +65 -0
package/web/view/content/home.html +205 -0
package/web/view/footer/main.html +11 -0
package/web/view/head/main.html +5 -0
package/web/view/header/main.html +14 -0

package/test/server/SSL.test_.js ADDED Viewed

@@ -0,0 +1,1491 @@
+const fs = require('fs')
+const os = require('os')
+const acme = require('acme-client')
+const selfsigned = require('selfsigned')
+// Import test utilities
+const {setupGlobalMocks, cleanupGlobalMocks} = require('./__mocks__/testHelpers')
+const {createMockWebsiteConfig} = require('./__mocks__/testFactories')
+const {mockCandy} = require('./__mocks__/globalCandy')
+// Mock all dependencies
+jest.mock('fs')
+jest.mock('os')
+jest.mock('acme-client')
+jest.mock('selfsigned')
+describe('SSL', () => {
+  let SSL
+  let mockConfig
+  let mockLog
+  let mockDNS
+  beforeEach(() => {
+    // Reset all mocks
+    jest.clearAllMocks()
+    // Set up global mocks
+    setupGlobalMocks()
+    // Mock the __ function to return formatted strings
+    global.__ = jest.fn((key, ...args) => {
+      // Simple string formatting for test purposes
+      let result = key
+      args.forEach((arg, index) => {
+        result = result.replace('%s', arg)
+      })
+      return result
+    })
+    // Get mock instances from global Candy
+    mockConfig = mockCandy.core('Config')
+    mockLog = mockCandy.server('Log').init('SSL')
+    mockDNS = mockCandy.server('DNS')
+    // Set up DNS mock methods
+    mockDNS.record = jest.fn()
+    mockDNS.delete = jest.fn()
+    // Mock os.homedir
+    os.homedir.mockReturnValue('/home/test')
+    // Mock fs methods
+    fs.existsSync.mockReturnValue(true)
+    fs.mkdirSync.mockImplementation(() => {})
+    fs.writeFileSync.mockImplementation(() => {})
+    // Import SSL module after mocks are set up
+    // Clear the require cache to get a fresh instance
+    delete require.cache[require.resolve('../../server/src/SSL.js')]
+    SSL = require('../../server/src/SSL.js')
+  })
+  afterEach(() => {
+    cleanupGlobalMocks()
+  })
+  describe('initialization', () => {
+    it('should initialize SSL module correctly', () => {
+      expect(SSL).toBeDefined()
+      expect(typeof SSL.check).toBe('function')
+      expect(typeof SSL.renew).toBe('function')
+    })
+  })
+  describe('certificate checking and renewal logic', () => {
+    describe('check method', () => {
+      it('should skip checking if already checking', async () => {
+        // Set up a website config to trigger SSL generation
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null // Force self-signed generation
+        // Start first check (will set checking flag)
+        const checkPromise1 = SSL.check()
+        // Start second check immediately (should be skipped due to checking flag)
+        const checkPromise2 = SSL.check()
+        await Promise.all([checkPromise1, checkPromise2])
+        // Self-signed certificate should only be generated once
+        expect(selfsigned.generate).toHaveBeenCalledTimes(1)
+      })
+      describe('certificate expiration date validation', () => {
+        it('should validate certificate expiry dates correctly', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl.expiry = Date.now() + 1000 * 60 * 60 * 24 * 60 // 60 days (valid)
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should not trigger renewal for valid certificate
+          expect(acme.forge.createPrivateKey).not.toHaveBeenCalled()
+        })
+        it('should trigger renewal for certificates expiring within 30 days', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl.expiry = Date.now() + 1000 * 60 * 60 * 24 * 15 // 15 days (needs renewal)
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should trigger renewal for certificate expiring soon
+          expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        })
+        it('should trigger renewal for expired certificates', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl.expiry = Date.now() - 1000 * 60 * 60 * 24 // Expired yesterday
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should trigger renewal for expired certificate
+          expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        })
+      })
+      describe('certificate file existence checking', () => {
+        it('should trigger renewal when certificate configuration is missing', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl = null // No SSL configuration
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should trigger renewal when SSL configuration is missing
+          expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        })
+        it('should skip renewal when certificate files exist and are valid', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl.expiry = Date.now() + 1000 * 60 * 60 * 24 * 60 // Valid expiry
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          // Mock file existence check to return true
+          fs.existsSync.mockReturnValue(true)
+          await SSL.check()
+          // Should not trigger renewal when files exist and certificate is valid
+          expect(acme.forge.createPrivateKey).not.toHaveBeenCalled()
+        })
+        it('should validate self-signed certificate file existence', async () => {
+          mockConfig.config.websites = {
+            'example.com': createMockWebsiteConfig('example.com')
+          }
+          mockConfig.config.ssl = {
+            key: '/home/test/.candypack/cert/ssl/candypack.key',
+            cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+            expiry: Date.now() + 86400000 // Valid
+          }
+          // Mock self-signed certificate files as missing
+          fs.existsSync.mockImplementation(path => {
+            if (path.includes('candypack.key') || path.includes('candypack.crt')) {
+              return false
+            }
+            return true
+          })
+          await SSL.check()
+          // Should regenerate self-signed certificate when files are missing
+          expect(selfsigned.generate).toHaveBeenCalled()
+        })
+      })
+      describe('automatic renewal triggers', () => {
+        it('should automatically trigger renewal for certificates near expiry', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          // Set expiry to exactly 29 days from now (within threshold)
+          mockWebsite.cert.ssl.expiry = Date.now() + 1000 * 60 * 60 * 24 * 29
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should trigger renewal when less than 30 days remain
+          expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        })
+        it('should not trigger renewal for certificates with more than 30 days validity', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          // Set expiry to 31 days from now (just over threshold)
+          mockWebsite.cert.ssl.expiry = Date.now() + 1000 * 60 * 60 * 24 * 31
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should not trigger renewal when certificate has more than 30 days
+          expect(acme.forge.createPrivateKey).not.toHaveBeenCalled()
+        })
+        it('should handle missing SSL configuration gracefully', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl = null // No SSL config
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Should trigger renewal when SSL config is missing
+          expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        })
+      })
+      it('should skip checking if no websites configured', async () => {
+        mockConfig.config.websites = null
+        await SSL.check()
+        // Should not attempt to generate certificates for domains
+        expect(acme.forge.createPrivateKey).not.toHaveBeenCalled()
+      })
+      it('should generate self-signed certificate if missing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalledWith([{name: 'commonName', value: 'CandyPack'}], {days: 365, keySize: 2048})
+        expect(fs.mkdirSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl', {recursive: true})
+        expect(fs.writeFileSync).toHaveBeenCalledTimes(2)
+      })
+      it('should skip self-signed generation if valid certificate exists', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = {
+          key: '/path/to/key',
+          cert: '/path/to/cert',
+          expiry: Date.now() + 86400000
+        }
+        await SSL.check()
+        expect(selfsigned.generate).not.toHaveBeenCalled()
+      })
+      it('should check SSL certificates for all domains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert = false // Skip SSL for this domain
+        const testWebsite = createMockWebsiteConfig('test.com')
+        testWebsite.cert.ssl = null // Force renewal for test.com
+        mockConfig.config.websites = {
+          'example.com': mockWebsite,
+          'test.com': testWebsite
+        }
+        await SSL.check()
+        // Should process test.com but skip example.com
+        expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+      })
+      it('should renew certificates near expiry', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert = {
+          ssl: {
+            key: '/path/to/key',
+            cert: '/path/to/cert',
+            expiry: Date.now() + 1000 * 60 * 60 * 24 * 15 // 15 days (less than 30 day threshold)
+          }
+        }
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        expect(acme.Client).toHaveBeenCalled()
+      })
+      it('should skip renewal for valid certificates', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert = {
+          ssl: {
+            key: '/path/to/key',
+            cert: '/path/to/cert',
+            expiry: Date.now() + 1000 * 60 * 60 * 24 * 60 // 60 days (more than 30 day threshold)
+          }
+        }
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createPrivateKey).not.toHaveBeenCalled()
+      })
+    })
+    describe('renew method', () => {
+      beforeEach(() => {
+        // Set up the API mock to return proper result format
+        const mockApi = mockCandy.server('Api')
+        mockApi.result = jest.fn((success, message) => ({success, data: message}))
+      })
+      it('should reject renewal for IP addresses', () => {
+        const result = SSL.renew('192.168.1.1')
+        expect(result.success).toBe(false)
+        expect(result.data).toContain('SSL renewal is not available for IP addresses')
+      })
+      it('should return error for non-existent domain', () => {
+        mockConfig.config.websites = {}
+        const result = SSL.renew('nonexistent.com')
+        expect(result.success).toBe(false)
+        expect(result.data).toBe('Domain nonexistent.com not found.')
+      })
+      it('should find domain by subdomain', () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = ['www', 'api']
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        const result = SSL.renew('www.example.com')
+        expect(result.success).toBe(true)
+        expect(result.data).toBe('SSL certificate for domain example.com renewed successfully.')
+      })
+      it('should successfully renew existing domain', () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        const result = SSL.renew('example.com')
+        expect(result.success).toBe(true)
+        expect(result.data).toBe('SSL certificate for domain example.com renewed successfully.')
+      })
+    })
+  })
+  describe('ACME protocol integration and challenge handling', () => {
+    let mockClient
+    beforeEach(() => {
+      mockClient = {
+        auto: jest.fn().mockResolvedValue('mock-certificate')
+      }
+      acme.Client.mockImplementation(() => mockClient)
+    })
+    describe('ACME client initialization and account creation', () => {
+      it('should create ACME client with correct configuration', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        // Remove SSL cert to trigger renewal
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createPrivateKey).toHaveBeenCalled()
+        expect(acme.Client).toHaveBeenCalledWith({
+          directoryUrl: acme.directory.letsencrypt.production,
+          accountKey: 'mock-private-key'
+        })
+      })
+      it('should create private key for ACME account', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createPrivateKey).toHaveBeenCalledWith()
+      })
+      it("should use Let's Encrypt production directory URL", async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.Client).toHaveBeenCalledWith({
+          directoryUrl: acme.directory.letsencrypt.production,
+          accountKey: 'mock-private-key'
+        })
+      })
+      it('should create CSR with domain and subdomains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = ['www', 'api']
+        // Remove SSL cert to trigger renewal
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createCsr).toHaveBeenCalledWith({
+          commonName: 'example.com',
+          altNames: ['example.com', 'www.example.com', 'api.example.com']
+        })
+      })
+      it('should handle domains without subdomains in CSR', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = [] // No subdomains
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createCsr).toHaveBeenCalledWith({
+          commonName: 'example.com',
+          altNames: ['example.com']
+        })
+      })
+      it('should handle undefined subdomains in CSR', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        delete mockWebsite.subdomain // Undefined subdomains
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createCsr).toHaveBeenCalledWith({
+          commonName: 'example.com',
+          altNames: ['example.com']
+        })
+      })
+    })
+    describe('DNS-01 challenge creation and DNS record management', () => {
+      it('should create DNS challenge records with correct parameters', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        // Remove SSL cert to trigger renewal
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeCreateFn
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'example.com'}}
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'mock-key-auth'
+          await options.challengeCreateFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockDNS.record).toHaveBeenCalledWith({
+          name: '_acme-challenge.example.com',
+          type: 'TXT',
+          value: 'mock-key-auth',
+          ttl: 100,
+          unique: true
+        })
+      })
+      it('should create DNS challenge records for subdomains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = ['www']
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeCreateFn for subdomain
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'www.example.com'}}
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'subdomain-key-auth'
+          await options.challengeCreateFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockDNS.record).toHaveBeenCalledWith({
+          name: '_acme-challenge.www.example.com',
+          type: 'TXT',
+          value: 'subdomain-key-auth',
+          ttl: 100,
+          unique: true
+        })
+      })
+      it('should handle non-DNS challenge types gracefully', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeCreateFn with http-01 challenge
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'example.com'}}
+          const challenge = {type: 'http-01'}
+          const keyAuthorization = 'http-key-auth'
+          await options.challengeCreateFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        // Should not create DNS record for non-DNS challenges
+        expect(mockDNS.record).not.toHaveBeenCalled()
+      })
+      it('should remove DNS challenge records after validation', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeRemoveFn
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'example.com'}}
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'mock-key-auth'
+          await options.challengeRemoveFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.example.com',
+          type: 'TXT',
+          value: 'mock-key-auth'
+        })
+      })
+      it('should remove DNS challenge records for subdomains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeRemoveFn for subdomain
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'api.example.com'}}
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'api-key-auth'
+          await options.challengeRemoveFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.api.example.com',
+          type: 'TXT',
+          value: 'api-key-auth'
+        })
+      })
+      it('should handle non-DNS challenge removal gracefully', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeRemoveFn with http-01 challenge
+        mockClient.auto.mockImplementation(async options => {
+          const authz = {identifier: {value: 'example.com'}}
+          const challenge = {type: 'http-01'}
+          const keyAuthorization = 'http-key-auth'
+          await options.challengeRemoveFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        // Should not attempt to delete DNS record for non-DNS challenges
+        expect(mockDNS.delete).not.toHaveBeenCalled()
+      })
+      it('should handle challenge key authorization correctly', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeKeyAuthorizationFn
+        mockClient.auto.mockImplementation(async options => {
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'mock-key-auth'
+          const result = await options.challengeKeyAuthorizationFn(challenge, keyAuthorization)
+          expect(result).toBe('mock-key-auth')
+          return 'mock-certificate'
+        })
+        await SSL.check()
+      })
+      it('should handle challenge timeout gracefully', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to call challengeTimeoutFn
+        mockClient.auto.mockImplementation(async options => {
+          await options.challengeTimeoutFn()
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockClient.auto).toHaveBeenCalled()
+      })
+      it('should use dns-01 as challenge priority', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(mockClient.auto).toHaveBeenCalledWith(
+          expect.objectContaining({
+            challengePriority: ['dns-01']
+          })
+        )
+      })
+    })
+    describe('certificate signing request (CSR) generation and processing', () => {
+      it('should generate CSR with correct parameters', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = [] // No subdomains for this test
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createCsr).toHaveBeenCalledWith({
+          commonName: 'example.com',
+          altNames: ['example.com']
+        })
+      })
+      it('should generate CSR with multiple domains including subdomains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = ['www', 'api', 'mail']
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(acme.forge.createCsr).toHaveBeenCalledWith({
+          commonName: 'example.com',
+          altNames: ['example.com', 'www.example.com', 'api.example.com', 'mail.example.com']
+        })
+      })
+      it('should process CSR with ACME client auto method', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(mockClient.auto).toHaveBeenCalledWith({
+          csr: 'mock-csr',
+          termsOfServiceAgreed: true,
+          challengePriority: ['dns-01'],
+          challengeCreateFn: expect.any(Function),
+          challengeRemoveFn: expect.any(Function),
+          challengeKeyAuthorizationFn: expect.any(Function),
+          challengeTimeoutFn: expect.any(Function)
+        })
+      })
+      it('should agree to terms of service automatically', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(mockClient.auto).toHaveBeenCalledWith(
+          expect.objectContaining({
+            termsOfServiceAgreed: true
+          })
+        )
+      })
+      it('should store certificate files after successful generation', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockImplementation(path => {
+          if (path.includes('.candypack/cert/ssl')) {
+            return false
+          }
+          return true
+        })
+        await SSL.check()
+        expect(fs.mkdirSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl', {recursive: true})
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/example.com.key', 'mock-key')
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/example.com.crt', 'mock-certificate')
+      })
+      it('should not create directory if it already exists', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock directory exists
+        fs.existsSync.mockReturnValue(true)
+        await SSL.check()
+        expect(fs.mkdirSync).not.toHaveBeenCalled()
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/example.com.key', 'mock-key')
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/example.com.crt', 'mock-certificate')
+      })
+      it('should update website configuration with new certificate', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        await SSL.check()
+        expect(mockWebsite.cert.ssl).toEqual({
+          key: '/home/test/.candypack/cert/ssl/example.com.key',
+          cert: '/home/test/.candypack/cert/ssl/example.com.crt',
+          expiry: expect.any(Number)
+        })
+      })
+      it('should set certificate expiry to 90 days from now', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        const beforeTime = Date.now()
+        await SSL.check()
+        const afterTime = Date.now()
+        const expectedExpiry = 1000 * 60 * 60 * 24 * 30 * 3 // 90 days
+        expect(mockWebsite.cert.ssl.expiry).toBeGreaterThanOrEqual(beforeTime + expectedExpiry - 1000)
+        expect(mockWebsite.cert.ssl.expiry).toBeLessThanOrEqual(afterTime + expectedExpiry + 1000)
+      })
+      describe('configuration updates after renewal', () => {
+        it('should update website configuration with new certificate paths', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl = null // Force renewal
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          expect(mockWebsite.cert.ssl).toEqual({
+            key: '/home/test/.candypack/cert/ssl/example.com.key',
+            cert: '/home/test/.candypack/cert/ssl/example.com.crt',
+            expiry: expect.any(Number)
+          })
+          expect(mockConfig.config.websites['example.com']).toBe(mockWebsite)
+        })
+        it('should save configuration after certificate renewal', async () => {
+          const mockWebsite = createMockWebsiteConfig('example.com')
+          mockWebsite.cert.ssl = null
+          mockConfig.config.websites = {
+            'example.com': mockWebsite
+          }
+          await SSL.check()
+          // Configuration should be updated with new certificate info
+          expect(mockConfig.config.websites['example.com'].cert.ssl).toBeDefined()
+          expect(mockConfig.config.websites['example.com'].cert.ssl.key).toBe('/home/test/.candypack/cert/ssl/example.com.key')
+          expect(mockConfig.config.websites['example.com'].cert.ssl.cert).toBe('/home/test/.candypack/cert/ssl/example.com.crt')
+        })
+      })
+    })
+    describe('challenge cleanup and DNS record removal', () => {
+      it('should clean up DNS records after successful challenge', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to simulate successful challenge completion
+        mockClient.auto.mockImplementation(async options => {
+          // Simulate challenge creation
+          const authz = {identifier: {value: 'example.com'}}
+          const challenge = {type: 'dns-01'}
+          const keyAuthorization = 'test-key-auth'
+          await options.challengeCreateFn(authz, challenge, keyAuthorization)
+          await options.challengeRemoveFn(authz, challenge, keyAuthorization)
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        expect(mockDNS.record).toHaveBeenCalledWith({
+          name: '_acme-challenge.example.com',
+          type: 'TXT',
+          value: 'test-key-auth',
+          ttl: 100,
+          unique: true
+        })
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.example.com',
+          type: 'TXT',
+          value: 'test-key-auth'
+        })
+      })
+      it('should clean up DNS records for all subdomains', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.subdomain = ['www', 'api']
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Mock the auto method to simulate challenges for multiple domains
+        mockClient.auto.mockImplementation(async options => {
+          const domains = ['example.com', 'www.example.com', 'api.example.com']
+          for (const domain of domains) {
+            const authz = {identifier: {value: domain}}
+            const challenge = {type: 'dns-01'}
+            const keyAuthorization = `${domain}-key-auth`
+            await options.challengeCreateFn(authz, challenge, keyAuthorization)
+            await options.challengeRemoveFn(authz, challenge, keyAuthorization)
+          }
+          return 'mock-certificate'
+        })
+        await SSL.check()
+        // Verify cleanup for all domains
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.example.com',
+          type: 'TXT',
+          value: 'example.com-key-auth'
+        })
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.www.example.com',
+          type: 'TXT',
+          value: 'www.example.com-key-auth'
+        })
+        expect(mockDNS.delete).toHaveBeenCalledWith({
+          name: '_acme-challenge.api.example.com',
+          type: 'TXT',
+          value: 'api.example.com-key-auth'
+        })
+      })
+    })
+  })
+  describe('self-signed certificate generation and error handling', () => {
+    describe('self-signed certificate generation with selfsigned module', () => {
+      it('should generate self-signed certificate when SSL config is missing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null // No SSL config
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalledWith([{name: 'commonName', value: 'CandyPack'}], {days: 365, keySize: 2048})
+      })
+      it('should generate self-signed certificate when SSL config is expired', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = {
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: Date.now() - 86400000 // Expired yesterday
+        }
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalledWith([{name: 'commonName', value: 'CandyPack'}], {days: 365, keySize: 2048})
+      })
+      it('should use correct certificate attributes for self-signed generation', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalledWith([{name: 'commonName', value: 'CandyPack'}], {days: 365, keySize: 2048})
+      })
+      it('should use correct options for self-signed certificate generation', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        await SSL.check()
+        const expectedOptions = {days: 365, keySize: 2048}
+        expect(selfsigned.generate).toHaveBeenCalledWith(expect.any(Array), expectedOptions)
+      })
+      it('should not generate self-signed certificate when valid one exists', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = {
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: Date.now() + 86400000 // Valid for another day
+        }
+        // Mock files exist
+        fs.existsSync.mockReturnValue(true)
+        await SSL.check()
+        expect(selfsigned.generate).not.toHaveBeenCalled()
+      })
+      it('should regenerate self-signed certificate when key file is missing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = {
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: Date.now() + 86400000 // Valid expiry
+        }
+        // Mock key file missing but cert file exists
+        fs.existsSync.mockImplementation(path => {
+          if (path.includes('candypack.key')) return false
+          if (path.includes('candypack.crt')) return true
+          return true
+        })
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalled()
+      })
+      it('should regenerate self-signed certificate when cert file is missing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = {
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: Date.now() + 86400000 // Valid expiry
+        }
+        // Mock cert file missing but key file exists
+        fs.existsSync.mockImplementation(path => {
+          if (path.includes('candypack.key')) return true
+          if (path.includes('candypack.crt')) return false
+          return true
+        })
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalled()
+      })
+    })
+    describe('certificate file storage and configuration updates', () => {
+      it('should create SSL directory if it does not exist', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist
+        fs.existsSync.mockImplementation(path => {
+          if (path.includes('.candypack/cert/ssl')) return false
+          return true
+        })
+        await SSL.check()
+        expect(fs.mkdirSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl', {recursive: true})
+      })
+      it('should not create SSL directory if it already exists', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory exists
+        fs.existsSync.mockReturnValue(true)
+        await SSL.check()
+        expect(fs.mkdirSync).not.toHaveBeenCalled()
+      })
+      it('should write self-signed private key to correct file path', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        await SSL.check()
+        expect(fs.writeFileSync).toHaveBeenCalledWith(
+          '/home/test/.candypack/cert/ssl/candypack.key',
+          '-----BEGIN PRIVATE KEY-----\nmock-private-key\n-----END PRIVATE KEY-----'
+        )
+      })
+      it('should write self-signed certificate to correct file path', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        await SSL.check()
+        expect(fs.writeFileSync).toHaveBeenCalledWith(
+          '/home/test/.candypack/cert/ssl/candypack.crt',
+          '-----BEGIN CERTIFICATE-----\nmock-certificate\n-----END CERTIFICATE-----'
+        )
+      })
+      it('should update SSL configuration with new certificate paths', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        await SSL.check()
+        expect(mockConfig.config.ssl).toEqual({
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: expect.any(Number)
+        })
+      })
+      it('should set self-signed certificate expiry to 24 hours from now', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        const beforeTime = Date.now()
+        await SSL.check()
+        const afterTime = Date.now()
+        const expectedExpiry = 86400000 // 24 hours in milliseconds
+        expect(mockConfig.config.ssl.expiry).toBeGreaterThanOrEqual(beforeTime + expectedExpiry - 1000)
+        expect(mockConfig.config.ssl.expiry).toBeLessThanOrEqual(afterTime + expectedExpiry + 1000)
+      })
+      it('should preserve existing SSL configuration when certificate is valid', async () => {
+        const existingSSL = {
+          key: '/home/test/.candypack/cert/ssl/candypack.key',
+          cert: '/home/test/.candypack/cert/ssl/candypack.crt',
+          expiry: Date.now() + 86400000 // Valid for another day
+        }
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = existingSSL
+        // Mock files exist
+        fs.existsSync.mockReturnValue(true)
+        await SSL.check()
+        expect(mockConfig.config.ssl).toEqual(existingSSL)
+        expect(selfsigned.generate).not.toHaveBeenCalled()
+      })
+    })
+    describe('error handling and retry logic for failed renewals', () => {
+      it('should handle selfsigned.generate errors by throwing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock selfsigned.generate to throw an error
+        selfsigned.generate.mockImplementation(() => {
+          throw new Error('Certificate generation failed')
+        })
+        // Should throw the error since SSL module doesn't handle it
+        await expect(SSL.check()).rejects.toThrow('Certificate generation failed')
+        expect(selfsigned.generate).toHaveBeenCalled()
+      })
+      it('should handle file system write errors by throwing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock fs.writeFileSync to throw an error only for self-signed cert files
+        fs.writeFileSync.mockImplementation(path => {
+          if (path.includes('candypack.key') || path.includes('candypack.crt')) {
+            throw new Error('File write failed')
+          }
+        })
+        // Should throw the error since SSL module doesn't handle it
+        await expect(SSL.check()).rejects.toThrow('File write failed')
+        expect(fs.writeFileSync).toHaveBeenCalled()
+      })
+      it('should handle directory creation errors by throwing', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist
+        fs.existsSync.mockReturnValue(false)
+        // Mock fs.mkdirSync to throw an error
+        fs.mkdirSync.mockImplementation(() => {
+          throw new Error('Directory creation failed')
+        })
+        // Should throw the error since SSL module doesn't handle it
+        await expect(SSL.check()).rejects.toThrow('Directory creation failed')
+        expect(fs.mkdirSync).toHaveBeenCalled()
+      })
+      it('should handle ACME client errors with retry logic', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null // Force renewal
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Create a local mock client for this test
+        const localMockClient = {
+          auto: jest.fn().mockRejectedValue(new Error('ACME challenge failed'))
+        }
+        acme.Client.mockImplementation(() => localMockClient)
+        await SSL.check()
+        // Should have attempted ACME renewal
+        expect(localMockClient.auto).toHaveBeenCalled()
+        // Should log the error (verify error logging was called)
+        expect(mockLog.error).toHaveBeenCalledWith(expect.any(Error))
+      })
+      it('should implement exponential backoff for failed ACME renewals', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Create a local mock client for this test
+        const localMockClient = {
+          auto: jest.fn().mockRejectedValue(new Error('ACME failed'))
+        }
+        acme.Client.mockImplementation(() => localMockClient)
+        // First attempt
+        await SSL.check()
+        // Reset checking flag to allow second attempt
+        // Note: We can't access private properties, so we'll test the behavior indirectly
+        // Second attempt should be blocked by retry interval
+        await SSL.check()
+        // Should only attempt once due to retry logic (second call is blocked by checking flag)
+        expect(localMockClient.auto).toHaveBeenCalledTimes(1)
+      })
+      it('should limit retry attempts to prevent infinite loops', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Create a local mock client for this test
+        const localMockClient = {
+          auto: jest.fn().mockRejectedValue(new Error('Persistent ACME failure'))
+        }
+        acme.Client.mockImplementation(() => localMockClient)
+        // First attempt will fail and set retry interval
+        await SSL.check()
+        // Should have attempted once and logged error
+        expect(localMockClient.auto).toHaveBeenCalled()
+        expect(mockLog.error).toHaveBeenCalled()
+      })
+      it('should reset error count after successful renewal', async () => {
+        const mockWebsite = createMockWebsiteConfig('example.com')
+        mockWebsite.cert.ssl = null
+        mockConfig.config.websites = {
+          'example.com': mockWebsite
+        }
+        // Create a local mock client for this test
+        const localMockClient = {
+          auto: jest.fn().mockRejectedValueOnce(new Error('Temporary failure')).mockResolvedValueOnce('mock-certificate')
+        }
+        acme.Client.mockImplementation(() => localMockClient)
+        // First failure
+        await SSL.check()
+        expect(mockLog.error).toHaveBeenCalledTimes(1)
+        // Note: We can't easily test the second attempt due to private state management
+        // This test verifies the first failure is handled correctly
+        expect(localMockClient.auto).toHaveBeenCalledTimes(1)
+      })
+    })
+    describe('certificate validation and format verification', () => {
+      it('should validate self-signed certificate format from selfsigned module', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        // Verify the mock was called and returns properly formatted PEM certificates
+        expect(selfsigned.generate).toHaveBeenCalled()
+        const mockReturnValue = selfsigned.generate.mock.results[0].value
+        expect(mockReturnValue.private).toContain('-----BEGIN PRIVATE KEY-----')
+        expect(mockReturnValue.private).toContain('-----END PRIVATE KEY-----')
+        expect(mockReturnValue.cert).toContain('-----BEGIN CERTIFICATE-----')
+        expect(mockReturnValue.cert).toContain('-----END CERTIFICATE-----')
+      })
+      it('should validate certificate file paths are correctly set', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        expect(mockConfig.config.ssl.key).toBe('/home/test/.candypack/cert/ssl/candypack.key')
+        expect(mockConfig.config.ssl.cert).toBe('/home/test/.candypack/cert/ssl/candypack.crt')
+        expect(typeof mockConfig.config.ssl.expiry).toBe('number')
+        expect(mockConfig.config.ssl.expiry).toBeGreaterThan(Date.now())
+      })
+      it('should validate certificate expiry is set correctly', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        const beforeTime = Date.now()
+        await SSL.check()
+        const afterTime = Date.now()
+        // Should be set to 24 hours from now (86400000 ms)
+        expect(mockConfig.config.ssl.expiry).toBeGreaterThanOrEqual(beforeTime + 86400000 - 1000)
+        expect(mockConfig.config.ssl.expiry).toBeLessThanOrEqual(afterTime + 86400000 + 1000)
+      })
+      it('should validate certificate files are written with correct content', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        // Verify key file content
+        expect(fs.writeFileSync).toHaveBeenCalledWith(
+          '/home/test/.candypack/cert/ssl/candypack.key',
+          expect.stringContaining('-----BEGIN PRIVATE KEY-----')
+        )
+        // Verify certificate file content
+        expect(fs.writeFileSync).toHaveBeenCalledWith(
+          '/home/test/.candypack/cert/ssl/candypack.crt',
+          expect.stringContaining('-----BEGIN CERTIFICATE-----')
+        )
+      })
+      it('should validate certificate attributes match expected values', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        expect(selfsigned.generate).toHaveBeenCalledWith([{name: 'commonName', value: 'CandyPack'}], {days: 365, keySize: 2048})
+      })
+      it('should validate certificate generation parameters are secure', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        await SSL.check()
+        // Verify the call was made with secure parameters
+        expect(selfsigned.generate).toHaveBeenCalledWith(
+          expect.any(Array),
+          expect.objectContaining({
+            keySize: expect.any(Number),
+            days: expect.any(Number)
+          })
+        )
+        // Get the actual options passed
+        const callArgs = selfsigned.generate.mock.calls[0]
+        const options = callArgs[1]
+        // Verify secure key size (2048 bits minimum)
+        expect(options.keySize).toBeGreaterThanOrEqual(2048)
+        // Verify reasonable validity period (365 days)
+        expect(options.days).toBe(365)
+      })
+      it('should handle malformed certificate data gracefully', async () => {
+        mockConfig.config.websites = {
+          'example.com': createMockWebsiteConfig('example.com')
+        }
+        mockConfig.config.ssl = null
+        // Mock directory doesn't exist to trigger creation
+        fs.existsSync.mockReturnValue(false)
+        // Mock selfsigned to return malformed data
+        selfsigned.generate.mockReturnValue({
+          private: 'invalid-key-data',
+          cert: 'invalid-cert-data'
+        })
+        await SSL.check()
+        // Should still write the files even with malformed data
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/candypack.key', 'invalid-key-data')
+        expect(fs.writeFileSync).toHaveBeenCalledWith('/home/test/.candypack/cert/ssl/candypack.crt', 'invalid-cert-data')
+      })
+    })
+  })
+})