feat: add auto-tls service #2798
Conversation
Adds an optional service that requests a Let's Encrypt-style TLS certificate when publicly dialable addresses are detected. This will allow transports such as WebSockets to upgrade themselves to be the secure version.
packages/auto-tls/src/index.ts
Outdated
| /** | ||
| * How long before the expiry of the certificate to renew it in ms | ||
| * | ||
| * @default 60000 | ||
| */ | ||
| renewThreshold?: number |
There was a problem hiding this comment.
This situation is a little different than domain cert renewal, but cert renewal should allow for resolving any errors that pop up when a renewal is attempted. Should we set the renewal time to a full day or week before expiry instead of only one minute?
There was a problem hiding this comment.
I've increased the default to one day but I'm not sure what we can do here other than retry?
| const crypto = new Crypto() | ||
| x509.cryptoProvider.set(crypto) | ||
|
|
||
| type CertificateEvent = 'certificate:provision' | 'certificate:renew' |
There was a problem hiding this comment.
| type CertificateEvent = 'certificate:provision' | 'certificate:renew' | |
| type CertificateEvent = 'certificate:provision' | 'certificate:renew' | `certificate:load` |
add event for loading a cert during startup?
There was a problem hiding this comment.
I thought about doing something like this but it wasn't clear to me what the actual difference between certificate:provision and certificate:load would be, they both just mean "a certificate is available and one wasn't before", whereas certificate:renew means "a certificate is available but you may need to undo what you did before to start using it".
Adds an optional service that requests a Let's Encrypt-style TLS certificate when publicly dialable addresses are detected.
This will allow transports such as WebSockets to upgrade themselves to be the secure version.
Change checklist