npm - roster-server - Versions diffs - 2.1.12 → 2.1.16 - Mend

roster-server 2.1.12 → 2.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/index.js +55 -8
package/package.json +1 -1
package/test/roster-server.test.js +45 -0
package/vendor/acme-dns-01-cli-wrapper.js +8 -7
package/vendor/greenlock-express/demo.js +6 -4
package/vendor/greenlock-express/greenlock-shim.js +6 -16
package/vendor/greenlock-express/http-middleware.js +16 -11
package/vendor/greenlock-express/https-middleware.js +3 -5
package/vendor/greenlock-express/lib/compat.js +9 -5
package/vendor/greenlock-express/main.js +7 -6
package/vendor/greenlock-express/master.js +6 -5
package/vendor/greenlock-express/scripts/postinstall +2 -1
package/vendor/greenlock-express/servers.js +17 -18
package/vendor/greenlock-express/sni.js +10 -12

package/index.js CHANGED Viewed

@@ -234,6 +234,10 @@ class Roster {
         this.disableWildcard = options.disableWildcard !== undefined
             ? parseBooleanFlag(options.disableWildcard, false)
             : parseBooleanFlag(process.env.ROSTER_DISABLE_WILDCARD, false);
+        const isBunRuntime = typeof Bun !== 'undefined' || process.release?.name === 'bun';
+        this.combineWildcardCerts = options.combineWildcardCerts !== undefined
+            ? parseBooleanFlag(options.combineWildcardCerts, false)
+            : parseBooleanFlag(process.env.ROSTER_COMBINE_WILDCARD_CERTS, isBunRuntime);
         const port = options.port === undefined ? 443 : options.port;
         if (port === 80 && !this.local) {
@@ -379,10 +383,21 @@ class Roster {
             if ((domain.match(/\./g) || []).length < 2) {
                 primaryAltnames.push(`www.${domain}`);
             }
+            const shouldCombineWildcard = this.combineWildcardCerts && this.wildcardZones.has(domain) && this.dnsChallenge;
+            if (shouldCombineWildcard) {
+                primaryAltnames.push(`*.${domain}`);
+            }
             const primarySite = {
                 subject: domain,
                 altnames: primaryAltnames
             };
+            if (shouldCombineWildcard) {
+                const dns01 = { ...this.dnsChallenge };
+                if (dns01.propagationDelay === undefined) dns01.propagationDelay = 120000;
+                if (dns01.autoContinue === undefined) dns01.autoContinue = false;
+                if (dns01.dryRunDelay === undefined) dns01.dryRunDelay = dns01.propagationDelay;
+                primarySite.challenges = { 'dns-01': dns01 };
+            }
             const existingPrimarySite = Array.isArray(existingConfig.sites)
                 ? existingConfig.sites.find(site => site.subject === domain)
                 : null;
@@ -390,7 +405,7 @@ class Roster {
             sitesConfig.push(primarySite);
             // Wildcard cert is issued separately and uses dns-01 only.
-            if (this.wildcardZones.has(domain) && this.dnsChallenge) {
+            if (!shouldCombineWildcard && this.wildcardZones.has(domain) && this.dnsChallenge) {
                 const wildcardSubject = `*.${domain}`;
                 const dns01 = { ...this.dnsChallenge };
                 if (dns01.propagationDelay === undefined) {
@@ -853,8 +868,40 @@ class Roster {
                     }
                     return null;
                 };
+                const issueAndReloadPemsForServername = async (servername) => {
+                    const host = normalizeHostInput(servername).trim().toLowerCase();
+                    if (!host) return null;
+                    let pems = resolvePemsForServername(host);
+                    if (pems) return pems;
+                    try {
+                        await greenlockRuntime.get({ servername: host });
+                    } catch (error) {
+                        log.warn(`⚠️  Greenlock issuance failed for ${host}: ${error?.message || error}`);
+                    }
+                    pems = resolvePemsForServername(host);
+                    if (pems) return pems;
+                    // For wildcard zones, try a valid subdomain bootstrap host so Greenlock can
+                    // resolve the wildcard site without relying on invalid "*.domain" servername input.
+                    const wildcardSubject = wildcardSubjectForHost(host);
+                    const zone = wildcardSubject ? wildcardRoot(wildcardSubject) : null;
+                    if (zone) {
+                        const bootstrapHost = `bun-bootstrap.${zone}`;
+                        try {
+                            await greenlockRuntime.get({ servername: bootstrapHost });
+                        } catch (error) {
+                            log.warn(`⚠️  Greenlock wildcard bootstrap failed for ${bootstrapHost}: ${error?.message || error}`);
+                        }
+                        pems = resolvePemsForServername(host);
+                    }
+                    return pems;
+                };
                 const ensureBunDefaultPems = async (primaryDomain) => {
-                    let pems = resolvePemsForServername(primaryDomain);
+                    let pems = await issueAndReloadPemsForServername(primaryDomain);
                     if (pems) return pems;
                     const certSubject = primaryDomain.startsWith('*.') ? wildcardRoot(primaryDomain) : primaryDomain;
@@ -891,12 +938,12 @@ class Roster {
                             key: defaultPems.key,
                             cert: defaultPems.cert,
                             SNICallback: (servername, callback) => {
-                                try {
-                                    const pems = resolvePemsForServername(servername) || defaultPems;
-                                    callback(null, tls.createSecureContext({ key: pems.key, cert: pems.cert }));
-                                } catch (error) {
-                                    callback(error);
-                                }
+                                issueAndReloadPemsForServername(servername)
+                                    .then((pems) => {
+                                        const selected = pems || defaultPems;
+                                        callback(null, tls.createSecureContext({ key: selected.key, cert: selected.cert }));
+                                    })
+                                    .catch(callback);
                             }
                         }, dispatcher);
                         log.warn(`⚠️  Bun runtime detected: using file-based TLS with SNI for ${primaryDomain} on port ${portNum}`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "roster-server",
-    "version": "2.1.12",
+    "version": "2.1.16",
     "description": "👾 RosterServer - A domain host router to host multiple HTTPS.",
     "main": "index.js",
     "scripts": {

package/test/roster-server.test.js CHANGED Viewed

@@ -313,6 +313,17 @@ describe('Roster', () => {
                 else process.env.ROSTER_DISABLE_WILDCARD = previous;
             }
         });
+        it('enables combined wildcard certs from env var', () => {
+            const previous = process.env.ROSTER_COMBINE_WILDCARD_CERTS;
+            process.env.ROSTER_COMBINE_WILDCARD_CERTS = '1';
+            try {
+                const roster = new Roster({ local: false });
+                assert.strictEqual(roster.combineWildcardCerts, true);
+            } finally {
+                if (previous === undefined) delete process.env.ROSTER_COMBINE_WILDCARD_CERTS;
+                else process.env.ROSTER_COMBINE_WILDCARD_CERTS = previous;
+            }
+        });
     });
     describe('register (normal domain)', () => {
@@ -557,4 +568,38 @@ describe('Roster generateConfigJson', () => {
             fs.rmSync(tmpDir, { recursive: true, force: true });
         }
     });
+    it('can combine apex+www+wildcard in one cert with dns-01', () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'roster-config-'));
+        try {
+            const roster = new Roster({
+                local: false,
+                greenlockStorePath: tmpDir,
+                combineWildcardCerts: true,
+                dnsChallenge: {
+                    module: 'acme-dns-01-cli',
+                    propagationDelay: 120000,
+                    autoContinue: false,
+                    dryRunDelay: 120000
+                }
+            });
+            roster.domains = ['tagnu.com', 'www.tagnu.com', '*.tagnu.com'];
+            roster.wildcardZones.add('tagnu.com');
+            roster.generateConfigJson();
+            const configPath = path.join(tmpDir, 'config.json');
+            const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+            const apexSite = config.sites.find((site) => site.subject === 'tagnu.com');
+            const wildcardSite = config.sites.find((site) => site.subject === '*.tagnu.com');
+            assert.ok(apexSite);
+            assert.deepStrictEqual(
+                apexSite.altnames.sort(),
+                ['tagnu.com', 'www.tagnu.com', '*.tagnu.com'].sort()
+            );
+            assert.ok(apexSite.challenges && apexSite.challenges['dns-01']);
+            assert.strictEqual(wildcardSite, undefined);
+        } finally {
+            fs.rmSync(tmpDir, { recursive: true, force: true });
+        }
+    });
 });

package/vendor/acme-dns-01-cli-wrapper.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict';
 const legacyCli = require('acme-dns-01-cli');
+const log = require('lemonlog')('acme-dns-01');
 function toPromise(fn, context) {
     if (typeof fn !== 'function') {
@@ -73,10 +74,10 @@ module.exports.create = function create(config = {}) {
         }
         const ch = opts?.challenge || {};
-        console.info('');
-        console.info("[ACME dns-01 '" + (ch.altname || opts?.altname || 'unknown') + "' CHALLENGE]");
-        console.info("You're about to receive the following DNS query:");
-        console.info('');
+        log.info('');
+        log.info("[ACME dns-01 '" + (ch.altname || opts?.altname || 'unknown') + "' CHALLENGE]");
+        log.info("You're about to receive the following DNS query:");
+        log.info('');
         const dnsHost = String(ch.dnsHost || '');
         const dnsAuth = ch.dnsAuthorization || opts?.dnsAuthorization || null;
         if (dnsHost && dnsAuth) {
@@ -87,15 +88,15 @@ module.exports.create = function create(config = {}) {
             ? Math.max(0, dryRunDelay)
             : propagationDelay;
-        console.info(
+        log.info(
             '\tTXT\t' +
                 (ch.dnsHost || '_acme-challenge.<domain>') +
                 '\t' +
                 (ch.dnsAuthorization || '<dns-authorization-token>') +
                 '\tTTL 60'
         );
-        console.info('');
-        console.info(
+        log.info('');
+        log.info(
             'Non-interactive mode (or autoContinue) detected. ' +
             'Set the TXT record now. Continuing automatically in ' +
             effectiveDelay +

package/vendor/greenlock-express/demo.js CHANGED Viewed

@@ -1,10 +1,12 @@
 "use strict";
+var log = require("lemonlog")("greenlock-demo");
 require("./")
     .init(initialize)
     .serve(worker)
     .master(function() {
-        console.log("Hello from master");
+        log.info("Hello from master");
     });
 function initialize() {
@@ -19,15 +21,15 @@ function initialize() {
         cluster: true,
         notify: function(ev, params) {
-            console.info(ev, params);
+            log.info(ev, params);
         }
     };
     return config;
 }
 function worker(glx) {
-    console.info();
-    console.info("Hello from worker #" + glx.id());
+    log.info("");
+    log.info("Hello from worker #" + glx.id());
     glx.serveApp(function(req, res) {
         res.end("Hello, Encrypted World!");

package/vendor/greenlock-express/greenlock-shim.js CHANGED Viewed

@@ -2,6 +2,7 @@
 module.exports.create = function(opts) {
     var Greenlock = require("@root/greenlock");
+    var log = require("lemonlog")("greenlock-shim");
     //var Init = require("@root/greenlock/lib/init.js");
     var greenlock = opts.greenlock;
@@ -28,7 +29,7 @@ module.exports.create = function(opts) {
             greenlock._defaults.notify = opts.notify;
         }
     } catch (e) {
-        console.error("Developer Error: notify not attached correctly");
+        log.error("Developer Error: notify not attached correctly");
     }
     // re-export as top-level function to simplify rpc with workers
@@ -38,23 +39,12 @@ module.exports.create = function(opts) {
     greenlock._find({}).then(function(sites) {
         if (sites.length <= 0) {
-            console.warn("Warning: `find({})` returned 0 sites.");
-            console.warn("         Does `" + greenlock.manager._modulename + "` implement `find({})`?");
-            console.warn("         Did you add sites?");
-            console.warn("         npx greenlock add --subject example.com --altnames example.com");
+            log.warn("Warning: `find({})` returned 0 sites.");
+            log.warn("         Does `" + greenlock.manager._modulename + "` implement `find({})`?");
+            log.warn("         Did you add sites?");
+            log.warn("         npx greenlock add --subject example.com --altnames example.com");
             return;
         }
-        // console.info("Ready to Serve:");
-        var max = 3;
-        if (sites.length >= 1) {
-            sites.slice(0, max).forEach(function(site) {
-                // console.info("\t", site.altnames.join(" "));
-            });
-        }
-        if (sites.length > max) {
-            // console.info("and %d others", sites.length - max);
-        }
     });
     return greenlock;

package/vendor/greenlock-express/http-middleware.js CHANGED Viewed

@@ -3,6 +3,7 @@
 var HttpMiddleware = module.exports;
 var servernameRe = /^[a-z0-9\.\-]+$/i;
 var challengePrefix = "/.well-known/acme-challenge/";
+var log = require("lemonlog")("greenlock-http");
 HttpMiddleware.create = function(gl, defaultApp) {
     if (defaultApp && "function" !== typeof defaultApp) {
@@ -49,7 +50,7 @@ HttpMiddleware.create = function(gl, defaultApp) {
                     return;
                 }
                 if (done) {
-                    console.error("Sanity check fail: `done` is in a quantum state of both true and false... huh?");
+                    log.error("Invariant violation: challenge middleware reached `done=true` and response path simultaneously");
                     return;
                 }
                 // HEADERS SENT DEBUG NOTE #4b
@@ -60,16 +61,16 @@ HttpMiddleware.create = function(gl, defaultApp) {
                 // HEADERS SENT DEBUG NOTE #5
                 // I really don't see how this can be possible.
                 // Every case appears to be accounted for
-                console.error();
-                console.error("[warning] Developer Error:" + (err.code || err.context || ""), countA, countB);
-                console.error(err.stack);
-                console.error();
-                console.error(
-                    "This is probably the error that happens routinely on http2 connections, but we're not sure why."
+                log.error(
+                    "Unhandled ACME challenge middleware error",
+                    {
+                        code: err.code || null,
+                        context: err.context || null,
+                        catchCountA: countA,
+                        catchCountB: countB
+                    }
                 );
-                console.error("To track the status or help contribute,");
-                console.error("visit: https://git.rootprojects.org/root/greenlock-express.js/issues/9");
-                console.error();
+                log.error(err.stack || err.message || err);
                 try {
                     res.end("Internal Server Error [1003]: See logs for details.");
                 } catch (e) {
@@ -114,7 +115,11 @@ function explainError(gl, err, ctx, hostname) {
         err.context = ctx;
     }
     // leaving this in the build for now because it will help with existing error reports
-    console.error("[warning] network connection error:", (err.context || "") + " " + err.message);
+    log.error("Network connection error during ACME challenge handling", {
+        context: err.context || "",
+        servername: err.servername || hostname || "",
+        message: err.message
+    });
     (gl.notify || gl._notify)("error", err);
     return err;
 }

package/vendor/greenlock-express/https-middleware.js CHANGED Viewed

@@ -2,6 +2,7 @@
 var SanitizeHost = module.exports;
 var HttpMiddleware = require("./http-middleware.js");
+var log = require("lemonlog")("greenlock-https");
 SanitizeHost.create = function(gl, app) {
     return function(req, res, next) {
@@ -61,8 +62,6 @@ SanitizeHost.create = function(gl, app) {
 				// and such).
 				// It was common for the log message to pop up as the first request
 				// to the server, and that was confusing. So instead now we do nothing.
-				//console.warn("no string for req.socket.servername," + " skipping fronting check for '" + safehost + "'");
 				//gl._skip_fronting_check = true;
 			}
       */
@@ -94,7 +93,7 @@ SanitizeHost._checkServername = function(safeHost, tlsSocket) {
         // domain fronting attacks allowed
         if (warnDomainFronting) {
             // https://github.com/nodejs/node/issues/24095
-            console.warn(
+            log.warn(
                 "Warning: node " +
                     process.version +
                     " is vulnerable to domain fronting attacks. Please use node v11.2.0 or greater."
@@ -111,7 +110,6 @@ SanitizeHost._checkServername = function(safeHost, tlsSocket) {
         // TODO optimize / cache?
         // *should* always have a string, right?
         // *should* always be lowercase already, right?
-        //console.log(safeHost, cert.subject.CN, cert.subjectaltname);
         var isSubject = (cert.subject.CN || "").toLowerCase() === safeHost;
         if (isSubject) {
             return true;
@@ -129,7 +127,7 @@ SanitizeHost._checkServername = function(safeHost, tlsSocket) {
     } catch (e) {
         // not sure what else to do in this situation...
         if (warnUnexpectedError) {
-            console.warn("Warning: encoutered error while performing domain fronting check: " + e.message);
+            log.warn("Encountered error while performing domain fronting check: " + e.message);
             warnUnexpectedError = false;
         }
         return true;

package/vendor/greenlock-express/lib/compat.js CHANGED Viewed

@@ -1,13 +1,15 @@
 "use strict";
+var log = require("lemonlog")("greenlock-compat");
 function requireBluebird() {
     try {
         return require("bluebird");
     } catch (e) {
-        console.error("");
-        console.error("DON'T PANIC. You're running an old version of node with incomplete Promise support.");
-        console.error("EASY FIX: `npm install --save bluebird`");
-        console.error("");
+        log.error("");
+        log.error("DON'T PANIC. You're running an old version of node with incomplete Promise support.");
+        log.error("EASY FIX: `npm install --save bluebird`");
+        log.error("");
         throw e;
     }
 }
@@ -21,7 +23,9 @@ if ("function" !== typeof require("util").promisify) {
 }
 if (!console.debug) {
-    console.debug = console.log;
+    console.debug = function() {
+        log.debug.apply(log, arguments);
+    };
 }
 var fs = require("fs");

package/vendor/greenlock-express/main.js CHANGED Viewed

@@ -3,6 +3,7 @@
 // this is the stuff that should run in the main foreground process,
 // whether it's single or master
+var log = require("lemonlog")("greenlock-main");
 var major = parseInt(process.versions.node.split(".")[0], 10);
 var minor = parseInt(process.versions.node.split(".")[1], 10) || 0;
 var _hasSetSecureContext = false;
@@ -14,19 +15,19 @@ _hasSetSecureContext = major > 11 || (major === 11 && minor >= 2);
 // TODO document in issues
 if (!_hasSetSecureContext) {
     // TODO this isn't necessary if greenlock options are set with options.cert
-    console.warn("Warning: node " + process.version + " is missing tlsSocket.setSecureContext().");
-    console.warn("         The default certificate may not be set.");
+    log.warn("Warning: node " + process.version + " is missing tlsSocket.setSecureContext().");
+    log.warn("         The default certificate may not be set.");
     shouldUpgrade = true;
 }
 if (major < 11 || (11 === major && minor < 2)) {
     // https://github.com/nodejs/node/issues/24095
-    console.warn("Warning: node " + process.version + " is missing tlsSocket.getCertificate().");
-    console.warn("         This is necessary to guard against domain fronting attacks.");
+    log.warn("Warning: node " + process.version + " is missing tlsSocket.getCertificate().");
+    log.warn("         This is necessary to guard against domain fronting attacks.");
     shouldUpgrade = true;
 }
 if (shouldUpgrade) {
-    console.warn("Warning: Please upgrade to node v11.2.0 or greater.");
-    console.warn();
+    log.warn("Warning: Please upgrade to node v11.2.0 or greater.");
+    log.warn("");
 }

package/vendor/greenlock-express/master.js CHANGED Viewed

@@ -6,6 +6,7 @@ var Master = module.exports;
 var cluster = require("cluster");
 var os = require("os");
+var log = require("lemonlog")("greenlock-master");
 var msgPrefix = "greenlock:";
 Master.create = function(opts) {
@@ -112,11 +113,11 @@ Master._spawnWorker = function(opts, greenlock) {
         // For now just kill all when any die
         if (signal) {
-            console.error("worker was killed by signal:", signal);
+            log.error("worker was killed by signal:", signal);
         } else if (code !== 0) {
-            console.error("worker exited with error code:", code);
+            log.error("worker exited with error code:", code);
         } else {
-            console.error("worker unexpectedly quit without exit code or signal");
+            log.error("worker unexpectedly quit without exit code or signal");
         }
         process.exit(2);
@@ -155,8 +156,8 @@ Master._spawnWorker = function(opts, greenlock) {
         try {
             rpc();
         } catch (e) {
-            console.error("Unexpected and uncaught greenlock." + msg._funcname + " error:");
-            console.error(e);
+            log.error("Unexpected and uncaught greenlock." + msg._funcname + " error:");
+            log.error(e);
         }
     }

package/vendor/greenlock-express/scripts/postinstall CHANGED Viewed

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 "use strict";
+var log = require("lemonlog")("greenlock-postinstall");
 // BG WH \u001b[47m
 // BOLD  \u001b[1m
@@ -68,7 +69,7 @@ setTimeout(function() {
 		"================================================================================",
 		""
 	]).forEach(function(line) {
-		console.info(line);
+		log.info(line);
 	});
 }, 300);

package/vendor/greenlock-express/servers.js CHANGED Viewed

@@ -7,6 +7,7 @@ var HttpMiddleware = require("./http-middleware.js");
 var HttpsMiddleware = require("./https-middleware.js");
 var sni = require("./sni.js");
 var cluster = require("cluster");
+var log = require("lemonlog")("greenlock-servers");
 Servers.create = function(greenlock) {
     var servers = {};
@@ -21,7 +22,7 @@ Servers.create = function(greenlock) {
     servers.httpServer = function(defaultApp) {
         if (_httpServer) {
             if (defaultApp) {
-                console.error("error: can only call httpServer(app) once");
+                log.error("Invalid API usage: `httpServer(app)` can only be called once");
                 process.exit(1);
             }
             return _httpServer;
@@ -104,7 +105,7 @@ Servers.create = function(greenlock) {
             var plainAddr = "0.0.0.0";
             var plainPort = 80;
             plainServer.listen(plainPort, plainAddr, function() {
-                console.info(
+                log.info(
                     idstr + "Listening on",
                     plainAddr + ":" + plainPort,
                     "for ACME challenges, and redirecting to HTTPS"
@@ -116,7 +117,7 @@ Servers.create = function(greenlock) {
                 var secureAddr = "0.0.0.0";
                 var securePort = 443;
                 secureServer.listen(securePort, secureAddr, function() {
-                    console.info(idstr + "Listening on", secureAddr + ":" + securePort, "for secure traffic");
+                    log.info(idstr + "Listening on", secureAddr + ":" + securePort, "for secure traffic");
                     plainServer.removeListener("error", startError);
                     secureServer.removeListener("error", startError);
@@ -130,18 +131,21 @@ Servers.create = function(greenlock) {
 };
 function explainError(e) {
-    console.error();
-    console.error("Error: " + e.message);
+    log.error("Server startup error", {
+        code: e.code || e.errno || null,
+        address: e.address || null,
+        port: e.port || null,
+        message: e.message
+    });
     if ("EACCES" === e.errno) {
-        console.error("You don't have prmission to access '" + e.address + ":" + e.port + "'.");
-        console.error('You probably need to use "sudo" or "sudo setcap \'cap_net_bind_service=+ep\' $(which node)"');
+        log.error("Insufficient permission to bind " + e.address + ":" + e.port + ".");
+        log.error('You probably need to use "sudo" or "sudo setcap \'cap_net_bind_service=+ep\' $(which node)"');
     } else if ("EADDRINUSE" === e.errno) {
-        console.error("'" + e.address + ":" + e.port + "' is already being used by some other program.");
-        console.error("You probably need to stop that program or restart your computer.");
+        log.error("Address already in use: " + e.address + ":" + e.port + ".");
+        log.error("You probably need to stop that program or restart your computer.");
     } else {
-        console.error(e.code + ": '" + e.address + ":" + e.port + "'");
+        log.error(e.code + ": '" + e.address + ":" + e.port + "'");
     }
-    console.error();
 }
 function wrapDefaultSniCallback(greenlock, secureOpts) {
@@ -156,13 +160,8 @@ function wrapDefaultSniCallback(greenlock, secureOpts) {
 		}
   */
     if (secureOpts.SNICallback) {
-        console.warn();
-        console.warn("[warning] Ignoring the given tlsOptions.SNICallback function.");
-        console.warn();
-        console.warn("          We're very open to implementing support for this,");
-        console.warn("          we just don't understand the use case yet.");
-        console.warn("          Please open an issue to discuss. We'd love to help.");
-        console.warn();
+        log.warn("Ignoring user-provided tlsOptions.SNICallback; Greenlock-managed SNI callback is required");
+        log.warn("If you need custom SNI behavior, open an issue to discuss integration support");
     }
     // TODO greenlock.servername for workers

package/vendor/greenlock-express/sni.js CHANGED Viewed

@@ -2,6 +2,7 @@
 var sni = module.exports;
 var tls = require("tls");
+var log = require("lemonlog")("greenlock-sni");
 var servernameRe = /^[a-z0-9\.\-]+$/i;
 // a nice, round, irrational number - about every 6¼ hours
@@ -32,23 +33,21 @@ sni.create = function(greenlock, secureOpts) {
             // TODO _notify() or notify()?
             (greenlock.notify || greenlock._notify)(ev, args);
         } catch (e) {
-            console.error(e);
-            console.error(ev, args);
+            log.error(e);
+            log.error(ev, args);
         }
     }
     function getSecureContext(servername, cb) {
-        //console.log("debug sni", servername);
         if ("string" !== typeof servername) {
             // this will never happen... right? but stranger things have...
-            console.error("[sanity fail] non-string servername:", servername);
+            log.error("[sanity fail] non-string servername:", servername);
             cb(new Error("invalid servername"), null);
             return;
         }
         var secureContext = getCachedContext(servername);
         if (secureContext) {
-            //console.log("debug sni got cached context", servername, getCachedMeta(servername));
             cb(null, secureContext);
             return;
         }
@@ -56,20 +55,19 @@ sni.create = function(greenlock, secureOpts) {
         getFreshContext(servername)
             .then(function(secureContext) {
                 if (secureContext) {
-                    //console.log("debug sni got fresh context", servername, getCachedMeta(servername));
                     cb(null, secureContext);
                     return;
                 }
                 // Note: this does not replace tlsSocket.setSecureContext()
                 // as it only works when SNI has been sent
-                //console.log("debug sni got default context", servername, getCachedMeta(servername));
                 if (!/PROD/.test(process.env.ENV) || /DEV|STAG/.test(process.env.ENV)) {
                     // Change this once
                     // A) the 'notify' message passing is verified fixed in cluster mode
                     // B) we have a good way to let people know their server isn't configured
-                    console.debug("debug: ignoring servername " + JSON.stringify(servername));
-                    console.debug("       (it's probably either missing from your config, or a bot)");
+                    log.debug("SNI servername not configured; falling back to default context", {
+                        servername: servername
+                    });
                     notify("servername_unknown", {
                         servername: servername
                     });
@@ -81,7 +79,6 @@ sni.create = function(greenlock, secureOpts) {
                     err.context = "sni_callback";
                 }
                 notify("error", err);
-                //console.log("debug sni error", servername, err);
                 cb(err);
             });
     }
@@ -125,8 +122,9 @@ sni.create = function(greenlock, secureOpts) {
                 // Change this once
                 // A) the 'notify' message passing is verified fixed in cluster mode
                 // B) we have a good way to let people know their server isn't configured
-                console.debug("debug: invalid servername " + JSON.stringify(servername));
-                console.debug("       (it's probably just a bot trolling for vulnerable servers)");
+                log.debug("Invalid SNI servername received; skipping certificate lookup", {
+                    servername: servername
+                });
                 notify("servername_invalid", {
                     servername: servername
                 });