Add ACME-based just-wait expired TLS endpoint

pimterry · pimterry · commit 7fccd7efc30a · 2026-01-21T15:48:01.000+01:00
For now this will be ultra-slow, since we use ZeroSSL who only support
90 days certs. In future this will merely be moderately slow, once we're
using Let's Encrypt 6 day certs or Google 1+ day certs.
diff --git a/src/server.ts b/src/server.ts
@@ -74,7 +74,13 @@ async function generateTlsConfig(options: ServerOptions) {
         ca: caCert.cert,
         generateCertificate: (domain: string, mode?: CertMode) => {
             if (mode === 'self-signed') return ca.generateSelfSignedCertificate(domain);
-            if (mode === 'expired') return ca.generateExpiredCertificate(domain);
+
+            if (mode === 'expired') {
+                // Try to get an actually-expired ACME cert; fall back to LocalCA if not expired yet
+                const expiredAcmeCert = acmeCA.tryGetExpiredCertificateSync(rootDomain);
+                if (expiredAcmeCert) return expiredAcmeCert;
+                return ca.generateExpiredCertificate(domain);
+            }
 
             if (domain === rootDomain || domain.endsWith('.' + rootDomain)) {
                 const cert = acmeCA.tryGetCertificateSync(domain);
diff --git a/src/tls-certificates/acme.ts b/src/tls-certificates/acme.ts
@@ -71,6 +71,54 @@ export class AcmeCA {
         return cachedCert;
     }
 
+    // Returns an ACME cert only if it has actually expired. Issues once, never renews.
+    // Returns undefined if no expired ACME cert is available (caller should use LocalCA fallback).
+    tryGetExpiredCertificateSync(domain: string) {
+        const cacheKey = `${domain}:expired`;
+        const cachedCert = this.certCache.getCert(cacheKey);
+
+        if (cachedCert) {
+            const isExpired = cachedCert.expiry <= Date.now();
+            console.log(`Found cached expired-mode cert for ${domain} (expiry: ${new Date(cachedCert.expiry).toISOString()}, actually expired: ${isExpired})`);
+
+            if (isExpired) {
+                return cachedCert;
+            }
+            // Not yet expired - caller should use LocalCA fallback
+            return undefined;
+        }
+
+        // No cached cert - issue one in the background (will be expired eventually)
+        const attemptId = Math.random().toString(16).slice(2);
+        console.log(`No expired-mode cert cached for ${domain}, issuing new one (${attemptId})`);
+        this.issueExpiredModeCertificate(domain, cacheKey, attemptId);
+
+        return undefined;
+    }
+
+    private async issueExpiredModeCertificate(domain: string, cacheKey: string, attemptId: string) {
+        if (this.pendingCertRenewals[cacheKey]) {
+            console.log(`Expired-mode cert already being issued for ${domain} (${attemptId})`);
+            return;
+        }
+
+        const refreshPromise = Object.assign(
+            this.requestNewCertificate(domain, { attemptId }).then((certData) => {
+                delete this.pendingCertRenewals[cacheKey];
+                this.certCache.cacheCert({ ...certData, domain: cacheKey });
+                console.log(`Expired-mode cert issued for ${domain} (${attemptId}), will expire: ${new Date(certData.expiry).toISOString()}`);
+                return certData;
+            }).catch((e) => {
+                delete this.pendingCertRenewals[cacheKey];
+                console.log(`Expired-mode cert generation failed for ${domain} (${attemptId}):`, e.message);
+                throw e;
+            }),
+            { id: attemptId }
+        );
+
+        this.pendingCertRenewals[cacheKey] = refreshPromise;
+    }
+
     private async getCertificate(
         domain: string,
         options: { forceRegenerate?: boolean, attemptId: string }
