natemcmaster · NetworKKnighT · Oct 14, 2024 · Oct 14, 2024
@@ -1,9 +1,11 @@
 {
   "LettuceEncrypt": {
     "DomainNames": [
-      "example.com",
-      "www.example.com",
-      "www2.example.com"
+      [
+        "example.com",
+        "www.example.com",
+        "www2.example.com"
+      ]
     ],
     "AzureKeyVault": {
       "AzureKeyVaultEndpoint": "https://my-production-secrets.vault.azure.net"

@@ -1,7 +1,7 @@
 {
   "LettuceEncrypt": {
     "DomainNames": [
-      "staging.example.com"
+      [ "staging.example.com" ]
     ],
     "AzureKeyVault": {
       "AzureKeyVaultEndpoint": "https://my-staging-secrets.vault.azure.net"

@@ -1,9 +1,11 @@
 {
   "LettuceEncrypt": {
     "DomainNames": [
-      "example.com",
-      "www.example.com",
-      "www2.example.com"
+      [
+        "example.com",
+        "www.example.com",
+        "www2.example.com"
+      ]
     ]
   }
 }
@@ -1,7 +1,7 @@
 {
   "LettuceEncrypt": {
     "DomainNames": [
-      "staging.example.com"
+      [ "staging.example.com" ]
     ],
     "UseStagingServer": true
   }

@@ -34,7 +34,7 @@ public async Task<IEnumerable<X509Certificate2>> GetCertificatesAsync(Cancellati
     {
         var certs = new List<X509Certificate2>();
 
-        foreach (var domain in _encryptOptions.Value.DomainNames)
+        foreach (var domain in _encryptOptions.Value.DomainNames.SelectMany(domainName => domainName))
         {
             var cert = await GetCertificateWithPrivateKeyAsync(domain, cancellationToken);
 

@@ -153,7 +153,7 @@ private async Task<bool> ExistingAccountIsValidAsync()
         return true;
     }
 
-    public async Task<X509Certificate2> CreateCertificateAsync(CancellationToken cancellationToken)
+    public async Task<X509Certificate2> CreateCertificateAsync(string[] domainNames, CancellationToken cancellationToken)
     {
         cancellationToken.ThrowIfCancellationRequested();
         if (_client == null)
@@ -165,7 +165,7 @@ public async Task<X509Certificate2> CreateCertificateAsync(CancellationToken can
         var orders = await _client.GetOrdersAsync();
         if (orders.Any())
         {
-            var expectedDomains = new HashSet<string>(_options.Value.DomainNames);
+            var expectedDomains = new HashSet<string>(domainNames);
             foreach (var order in orders)
             {
                 var orderDetails = await _client.GetOrderDetailsAsync(order);
@@ -191,7 +191,7 @@ public async Task<X509Certificate2> CreateCertificateAsync(CancellationToken can
         if (orderContext == null)
         {
             _logger.LogDebug("Creating new order for a certificate");
-            orderContext = await _client.CreateOrderAsync(_options.Value.DomainNames);
+            orderContext = await _client.CreateOrderAsync(domainNames);
         }
 
         cancellationToken.ThrowIfCancellationRequested();
@@ -201,7 +201,7 @@ public async Task<X509Certificate2> CreateCertificateAsync(CancellationToken can
         await Task.WhenAll(BeginValidateAllAuthorizations(authorizations, cancellationToken));
 
         cancellationToken.ThrowIfCancellationRequested();
-        return await CompleteCertificateRequestAsync(orderContext, cancellationToken);
+        return await CompleteCertificateRequestAsync(orderContext, domainNames, cancellationToken);
     }
 
     private IEnumerable<Task> BeginValidateAllAuthorizations(IEnumerable<IAuthorizationContext> authorizations,
@@ -282,7 +282,7 @@ private async Task ValidateDomainOwnershipAsync(IAuthorizationContext authorizat
         throw new InvalidOperationException($"Failed to validate ownership of domainName '{domainName}'");
     }
 
-    private async Task<X509Certificate2> CompleteCertificateRequestAsync(IOrderContext order,
+    private async Task<X509Certificate2> CompleteCertificateRequestAsync(IOrderContext order, string[] domainNames,
         CancellationToken cancellationToken)
     {
         cancellationToken.ThrowIfCancellationRequested();
@@ -291,7 +291,7 @@ private async Task<X509Certificate2> CompleteCertificateRequestAsync(IOrderConte
             throw new InvalidOperationException();
         }
 
-        var commonName = _options.Value.DomainNames[0];
+        var commonName = domainNames[0];
         _logger.LogDebug("Creating cert for {commonName}", commonName);
 
         var csrInfo = new CsrInfo
@@ -305,7 +305,7 @@ private async Task<X509Certificate2> CompleteCertificateRequestAsync(IOrderConte
         _logger.LogAcmeAction("NewCertificate");
 
         var pfxBuilder = CreatePfxBuilder(acmeCert, privateKey);
-        var pfx = pfxBuilder.Build("HTTPS Cert - " + _options.Value.DomainNames, string.Empty);
+        var pfx = pfxBuilder.Build("HTTPS Cert - " + domainNames, string.Empty);
         return new X509Certificate2(pfx, string.Empty, X509KeyStorageFlags.Exportable);
     }
 

@@ -91,6 +91,8 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)
     }
 
     private bool LettuceEncryptDomainNamesWereConfigured()
-        => _options.Value.DomainNames
-            .Any(w => !string.Equals("localhost", w, StringComparison.OrdinalIgnoreCase));
+    {
+        return _options.Value.DomainNames.All(domains =>
+                    domains.Any(w => !string.Equals("localhost", w, StringComparison.OrdinalIgnoreCase)));
+    }
 }
@@ -9,28 +9,31 @@ namespace LettuceEncrypt.Internal.AcmeStates;
 
 internal class BeginCertificateCreationState : AcmeState
 {
-    private readonly ILogger<ServerStartupState> _logger;
+    private readonly ILogger<BeginCertificateCreationState> _logger;
     private readonly IOptions<LettuceEncryptOptions> _options;
     private readonly AcmeCertificateFactory _acmeCertificateFactory;
     private readonly CertificateSelector _selector;
+    private readonly DomainNamesEnumerator _domainNamesEnumerator;
     private readonly IEnumerable<ICertificateRepository> _certificateRepositories;
 
     public BeginCertificateCreationState(
-        AcmeStateMachineContext context, ILogger<ServerStartupState> logger,
+        AcmeStateMachineContext context, ILogger<BeginCertificateCreationState> logger,
         IOptions<LettuceEncryptOptions> options, AcmeCertificateFactory acmeCertificateFactory,
-        CertificateSelector selector, IEnumerable<ICertificateRepository> certificateRepositories)
+        CertificateSelector selector, DomainNamesEnumerator domainNamesEnumerator,
+        IEnumerable<ICertificateRepository> certificateRepositories)
         : base(context)
     {
         _logger = logger;
         _options = options;
         _acmeCertificateFactory = acmeCertificateFactory;
         _selector = selector;
+        _domainNamesEnumerator = domainNamesEnumerator;
         _certificateRepositories = certificateRepositories;
     }
 
     public override async Task<IAcmeState> MoveNextAsync(CancellationToken cancellationToken)
     {
-        var domainNames = _options.Value.DomainNames;
+        var domainNames = _domainNamesEnumerator.Current;
 
         try
         {
@@ -40,7 +43,7 @@ public override async Task<IAcmeState> MoveNextAsync(CancellationToken cancellat
             _logger.LogInformation("Creating certificate for {hostname}",
                 string.Join(",", domainNames));
 
-            var cert = await _acmeCertificateFactory.CreateCertificateAsync(cancellationToken);
+            var cert = await _acmeCertificateFactory.CreateCertificateAsync(domainNames, cancellationToken);
 
             _logger.LogInformation("Created certificate {subjectName} ({thumbprint})",
                 cert.Subject,
@@ -50,7 +53,7 @@ public override async Task<IAcmeState> MoveNextAsync(CancellationToken cancellat
         }
         catch (Exception ex)
         {
-            _logger.LogError(0, ex, "Failed to automatically create a certificate for {hostname}", domainNames);
+            _logger.LogError(0, ex, "Failed to automatically create a certificate for {hostname}", string.Join(", ", domainNames));
             throw;
         }
 
@@ -61,17 +64,18 @@ private async Task SaveCertificateAsync(X509Certificate2 cert, CancellationToken
     {
         _selector.Add(cert);
 
-        var saveTasks = new List<Task>
-        {
-            Task.Delay(TimeSpan.FromMinutes(5), cancellationToken)
-        };
+        var saveTasks = new List<Task>();
+
+        using var linkedCts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
+        linkedCts.CancelAfter(TimeSpan.FromMinutes(5));
+        var linkedToken = linkedCts.Token;
 
         var errors = new List<Exception>();
         foreach (var repo in _certificateRepositories)
         {
             try
             {
-                saveTasks.Add(repo.SaveAsync(cert, cancellationToken));
+                saveTasks.Add(repo.SaveAsync(cert, linkedToken));
             }
             catch (Exception ex)
             {
@@ -80,7 +84,14 @@ private async Task SaveCertificateAsync(X509Certificate2 cert, CancellationToken
             }
         }
 
-        await Task.WhenAll(saveTasks);
+        try
+        {
+            await Task.WhenAll(saveTasks);
+        }
+        catch (TaskCanceledException e)
+        {
+            errors.Add(e);
+        }
 
         if (errors.Count > 0)
         {

@@ -7,59 +7,58 @@
 
 namespace LettuceEncrypt.Internal.AcmeStates;
 
-internal class CheckForRenewalState : AcmeState
+internal class CheckForRenewalState : SyncAcmeState
 {
     private readonly ILogger<CheckForRenewalState> _logger;
     private readonly IOptions<LettuceEncryptOptions> _options;
     private readonly CertificateSelector _selector;
+    private readonly DomainNamesEnumerator _domainNamesEnumerator;
     private readonly IClock _clock;
 
     public CheckForRenewalState(
         AcmeStateMachineContext context,
         ILogger<CheckForRenewalState> logger,
         IOptions<LettuceEncryptOptions> options,
         CertificateSelector selector,
+        DomainNamesEnumerator domainNamesEnumerator,
         IClock clock) : base(context)
     {
         _logger = logger;
         _options = options;
         _selector = selector;
+        _domainNamesEnumerator = domainNamesEnumerator;
         _clock = clock;
     }
 
-    public override async Task<IAcmeState> MoveNextAsync(CancellationToken cancellationToken)
+    public override IAcmeState MoveNext()
     {
-        while (!cancellationToken.IsCancellationRequested)
+        var checkPeriod = _options.Value.RenewalCheckPeriod;
+        var daysInAdvance = _options.Value.RenewDaysInAdvance;
+        if (!checkPeriod.HasValue || !daysInAdvance.HasValue)
         {
-            var checkPeriod = _options.Value.RenewalCheckPeriod;
-            var daysInAdvance = _options.Value.RenewDaysInAdvance;
-            if (!checkPeriod.HasValue || !daysInAdvance.HasValue)
-            {
-                _logger.LogInformation("Automatic certificate renewal is not configured. Stopping {service}",
-                    nameof(AcmeCertificateLoader));
-                return MoveTo<TerminalState>();
-            }
+            _logger.LogInformation("Automatic certificate renewal is not configured. Stopping {service}",
+                                   nameof(AcmeCertificateLoader));
+            return MoveTo<TerminalState>();
+        }
 
-            var domainNames = _options.Value.DomainNames;
-            if (_logger.IsEnabled(LogLevel.Debug))
-            {
-                _logger.LogDebug("Checking certificates' renewals for {hostname}",
-                    string.Join(", ", domainNames));
-            }
+        var domainNames = _domainNamesEnumerator.Current;
 
-            foreach (var domainName in domainNames)
+        if (_logger.IsEnabled(LogLevel.Debug))
+        {
+            _logger.LogDebug("Checking certificates' renewals for {hostname}",
+                             string.Join(", ", domainNames));
+        }
+
+        foreach (var domainName in domainNames)
+        {
+            if (!_selector.TryGet(domainName, out var cert)
+                || cert == null
+                || cert.NotAfter <= _clock.Now.DateTime + daysInAdvance.Value)
             {
-                if (!_selector.TryGet(domainName, out var cert)
-                    || cert == null
-                    || cert.NotAfter <= _clock.Now.DateTime + daysInAdvance.Value)
-                {
-                    return MoveTo<BeginCertificateCreationState>();
-                }
+                return MoveTo<BeginCertificateCreationState>();
             }
-
-            await Task.Delay(checkPeriod.Value, cancellationToken);
         }
 
-        return MoveTo<TerminalState>();
+        return MoveTo<ServerStartupState>();
     }
 }
@@ -10,30 +10,39 @@ internal class ServerStartupState : SyncAcmeState
 {
     private readonly IOptions<LettuceEncryptOptions> _options;
     private readonly CertificateSelector _selector;
+    private readonly DomainNamesEnumerator _domainNamesEnumerator;
     private readonly ILogger<ServerStartupState> _logger;
 
     public ServerStartupState(
         AcmeStateMachineContext context,
         IOptions<LettuceEncryptOptions> options,
         CertificateSelector selector,
+        DomainNamesEnumerator domainNamesEnumerator,
         ILogger<ServerStartupState> logger) :
         base(context)
     {
         _options = options;
         _selector = selector;
+        _domainNamesEnumerator = domainNamesEnumerator;
         _logger = logger;
     }
 
     public override IAcmeState MoveNext()
     {
-        var domainNames = _options.Value.DomainNames;
-        var hasCertForAllDomains = domainNames.All(_selector.HasCertForDomain);
-        if (hasCertForAllDomains)
+        while (_domainNamesEnumerator.MoveNext())
         {
-            _logger.LogDebug("Certificate for {domainNames} already found.", domainNames);
-            return MoveTo<CheckForRenewalState>();
+            var domainNames = _domainNamesEnumerator.Current;
+            var hasCertForAllDomains = domainNames.All(_selector.HasCertForDomain);
+            if (hasCertForAllDomains)
+            {
+                _logger.LogDebug("Certificate for [{domainNames}] already found.", string.Join(", ", domainNames));
+                return MoveTo<CheckForRenewalState>();
+            }
+
+            return MoveTo<BeginCertificateCreationState>();
         }
 
-        return MoveTo<BeginCertificateCreationState>();
+        _domainNamesEnumerator.Reset();
+        return MoveTo<WaitState>();
     }
 }