# @push.rocks/smartacme

A TypeScript-based ACME client with an easy yet powerful interface for LetsEncrypt certificate management.

## Install

Using pnpm as the package manager:

```bash
pnpm add @push.rocks/smartacme
```

Ensure your project is set up to use TypeScript and ECMAScript Modules (ESM).
## Running Tests

Tests are written using `@push.rocks/tapbundle` and can be run with:

```bash
pnpm test
```

To run a specific test file:

```bash
tsx test/<test-file>.ts
```

## Usage

This guide will walk you through using `@push.rocks/smartacme` to set up and manage ACME (Automated Certificate Management Environment) certificates with a focus on the Let's Encrypt service, which provides free SSL certificates. The library provides an easy yet powerful TypeScript interface to automate the process of obtaining, renewing, and installing your SSL certificates.

### Table of Contents

1. [Setting Up Your Project](#setting-up-your-project)
2. [Creating a SmartAcme Instance](#creating-a-smartacme-instance)
3. [Initializing SmartAcme](#initializing-smartacme)
4. [Obtaining a Certificate for a Domain](#obtaining-a-certificate-for-a-domain)
5. [Automating DNS Challenges](#automating-dns-challenges)
6. [Managing Certificates](#managing-certificates)
7. [Environmental Considerations](#environmental-considerations)
8. [Complete Example](#complete-example)

### Setting Up Your Project

Ensure your project includes the necessary TypeScript configuration and dependencies. You'll need to have TypeScript installed and configured for ECMAScript Modules. If you are new to TypeScript, review its [documentation](https://www.typescriptlang.org/docs/) to get started.

### Creating a SmartAcme Instance

Start by importing the `SmartAcme` class and any built-in handlers you plan to use. For example, to use DNS-01 via Cloudflare:

```typescript
import { SmartAcme, MongoCertManager } from '@push.rocks/smartacme';
import * as cloudflare from '@apiclient.xyz/cloudflare';
import { Dns01Handler } from '@push.rocks/smartacme/ts/handlers/Dns01Handler.js';

// Create a Cloudflare account client with your API token
const cfAccount = new cloudflare.CloudflareAccount('YOUR_CF_TOKEN');

// Initialize a certificate manager (e.g., MongoDB)
const certManager = new MongoCertManager({
  mongoDbUrl: 'mongodb://yourmongoURL',
  mongoDbName: 'yourDbName',
  mongoDbPass: 'yourDbPassword',
});

// Instantiate SmartAcme with the certManager and challenge handlers
const smartAcmeInstance = new SmartAcme({
  accountEmail: 'youremail@example.com',
  certManager,
  environment: 'integration', // 'production' to request real certificates
  retryOptions: {},           // optional retry/backoff settings
  challengeHandlers: [        // pluggable ACME challenge handlers
    new Dns01Handler(cfAccount),
    // add more handlers as needed (e.g., Http01Webroot, Http01MemoryHandler)
  ],
  challengePriority: ['dns-01'], // optional challenge ordering
});
```

### Initializing SmartAcme

Before proceeding to request certificates, start your SmartAcme instance:

```typescript
await smartAcmeInstance.start();
```

### Obtaining a Certificate for a Domain

To obtain a certificate for a specific domain, use the `getCertificateForDomain` method. This function ensures that if a valid certificate is already present, it will be reused; otherwise, a new certificate is obtained:

```typescript
const myDomain = 'example.com';
const myCert = await smartAcmeInstance.getCertificateForDomain(myDomain);
console.log('Certificate:', myCert);
```

### Automating DNS Challenges

SmartAcme uses pluggable ACME challenge handlers (see built-in handlers below) to automate domain validation. You configure handlers via the `challengeHandlers` array when creating the instance, and SmartAcme will invoke each handler’s `prepare`, optional `verify`, and `cleanup` methods during the ACME order flow.

### Managing Certificates

The library automatically handles fetching, renewing, and storing your certificates in a MongoDB database specified via a certificate manager. Ensure your MongoDB instance is accessible and properly configured for use with SmartAcme.

```typescript
import { MongoCertManager } from '@push.rocks/smartacme';

const certManager = new MongoCertManager({
  mongoDbUrl: 'mongodb://yourmongoURL',
  mongoDbName: 'yourDbName',
  mongoDbPass: 'yourDbPassword',
});
```

SmartAcme uses the `ICertManager` interface for certificate storage. Two built-in implementations are available:

- **MemoryCertManager**
  - In-memory storage, suitable for testing or ephemeral use.
  - Import example:
    ```typescript
    import { MemoryCertManager } from '@push.rocks/smartacme';
    const certManager = new MemoryCertManager();
    ```

- **MongoCertManager**
  - Persistent storage in MongoDB (collection: `SmartacmeCert`).
  - Import example:
    ```typescript
    import { MongoCertManager } from '@push.rocks/smartacme';
    const certManager = new MongoCertManager({
      mongoDbUrl: 'mongodb://yourmongoURL',
      mongoDbName: 'yourDbName',
      mongoDbPass: 'yourDbPassword',
    });
    ```

#### Custom Certificate Managers

To implement a custom certificate manager, implement the `ICertManager` interface and pass it to `SmartAcme`:

```typescript
import type { ICertManager, Cert as SmartacmeCert } from '@push.rocks/smartacme';
import { SmartAcme } from '@push.rocks/smartacme';

class MyCustomCertManager implements ICertManager {
  async init(): Promise<void> { /* setup storage */ }
  async get(domainName: string): Promise<SmartacmeCert | null> { /* lookup cert */ }
  async put(cert: SmartacmeCert): Promise<SmartacmeCert> { /* store cert */ }
  async delete(domainName: string): Promise<void> { /* remove cert */ }
  async close?(): Promise<void> { /* optional cleanup */ }
}

// Use your custom manager:
const customManager = new MyCustomCertManager();
const smartAcme = new SmartAcme({
  accountEmail: 'youremail@example.com',
  certManager: customManager,
  environment: 'integration',
  challengeHandlers: [], // add your handlers
});
```

### Environmental Considerations

When creating an instance of `SmartAcme`, you can specify an `environment` option. This is particularly useful for testing, as you can use the `integration` environment to avoid hitting rate limits and for testing your setup without issuing real certificates. Switch to `production` when you are ready to obtain actual certificates.

### Complete Example

Below is a complete example demonstrating how to use `@push.rocks/smartacme` to obtain and manage an ACME certificate with Let's Encrypt using a DNS-01 handler:

```typescript
import { SmartAcme, MongoCertManager } from '@push.rocks/smartacme';
import * as cloudflare from '@apiclient.xyz/cloudflare';
import { Qenv } from '@push.rocks/qenv';
import { Dns01Handler } from '@push.rocks/smartacme/ts/handlers/Dns01Handler.js';

const qenv = new Qenv('./', './.nogit/');
const cloudflareAccount = new cloudflare.CloudflareAccount(qenv.getEnvVarOnDemand('CF_TOKEN'));

async function main() {
  // Initialize MongoDB certificate manager
  const certManager = new MongoCertManager({
    mongoDbUrl: qenv.getEnvVarRequired('MONGODB_URL'),
    mongoDbName: qenv.getEnvVarRequired('MONGODB_DATABASE'),
    mongoDbPass: qenv.getEnvVarRequired('MONGODB_PASSWORD'),
  });

  const smartAcmeInstance = new SmartAcme({
    accountEmail: 'youremail@example.com',
    certManager,
    environment: 'integration',
    challengeHandlers: [new Dns01Handler(cloudflareAccount)],
  });

  await smartAcmeInstance.start();

  const myDomain = 'example.com';
  const myCert = await smartAcmeInstance.getCertificateForDomain(myDomain);
  console.log('Certificate:', myCert);

  await smartAcmeInstance.stop();
}

main().catch(console.error);
```
 
 ## Built-in Challenge Handlers
 
 This module includes three out-of-the-box ACME challenge handlers:
 
 - **Dns01Handler**
   - Uses a Cloudflare account (from `@apiclient.xyz/cloudflare`) and Smartdns client to set and remove DNS TXT records, then wait for propagation.
   - Import path:
     ```typescript
     import { Dns01Handler } from '@push.rocks/smartacme/ts/handlers/Dns01Handler.js';
     ```
   - Example:
     ```typescript
     import * as cloudflare from '@apiclient.xyz/cloudflare';
     const cfAccount = new cloudflare.CloudflareAccount('CF_TOKEN');
     const dnsHandler = new Dns01Handler(cfAccount);
     ```
 
 - **Http01Webroot**
   - Writes ACME HTTP-01 challenge files under a file-system webroot (`/.well-known/acme-challenge/`), and removes them on cleanup.
   - Import path:
     ```typescript
     import { Http01Webroot } from '@push.rocks/smartacme/ts/handlers/Http01Handler.js';
     ```
   - Example:
     ```typescript
     const httpHandler = new Http01Webroot({ webroot: '/var/www/html' });
     ```
 
 - **Http01MemoryHandler**
   - In-memory HTTP-01 challenge handler that stores and serves ACME tokens without disk I/O.
   - Import path:
     ```typescript
     import { Http01MemoryHandler } from '@push.rocks/smartacme/ts/handlers/Http01MemoryHandler.js';
     ```
   - Example (Express integration):
     ```typescript
     import { Http01MemoryHandler } from '@push.rocks/smartacme/ts/handlers/Http01MemoryHandler.js';
     const memoryHandler = new Http01MemoryHandler();
     app.use((req, res, next) => memoryHandler.handleRequest(req, res, next));
     ```
  
 All handlers implement the `IChallengeHandler<T>` interface and can be combined in the `challengeHandlers` array.
 
 ## Creating Custom Handlers
 
 To support additional challenge types or custom validation flows, implement the `IChallengeHandler<T>` interface:
 
 ```typescript
 import type { IChallengeHandler } from '@push.rocks/smartacme/ts/handlers/IChallengeHandler.js';
 
 // Define your custom challenge payload type
 interface MyChallenge { type: string; /* ... */ }
 
 class MyCustomHandler implements IChallengeHandler<MyChallenge> {
   getSupportedTypes(): string[] {
     return ['my-01'];
   }
 
   // Prepare the challenge (set DNS records, start servers, etc.)
   async prepare(ch: MyChallenge): Promise<void> {
     // preparation logic
   }
 
   // Optional verify step after prepare
   async verify?(ch: MyChallenge): Promise<void> {
     // verification logic
   }
 
   // Cleanup after challenge (remove records, stop servers)
   async cleanup(ch: MyChallenge): Promise<void> {
     // cleanup logic
   }
 }
 
 // Then register your handler:
 const customInstance = new SmartAcme({
   /* other options */, 
   challengeHandlers: [ new MyCustomHandler() ],
   challengePriority: ['my-01'],
 });

In this example, `Qenv` is used to manage environment variables, and the Cloudflare library is used to handle DNS challenges through the built-in `Dns01Handler` plugin.

## Additional Details

### Certificate Object

The certificate object obtained from the `getCertificateForDomain` method has the following properties:

- `id`: Unique identifier for the certificate.
- `domainName`: The domain name for which the certificate is issued.
- `created`: Timestamp of when the certificate was created.
- `privateKey`: The private key associated with the certificate.
- `publicKey`: The public key or certificate itself.
- `csr`: Certificate Signing Request (CSR) used to obtain the certificate.
- `validUntil`: Timestamp indicating the expiration date of the certificate.

### Methods Summary

- **start()**: Initializes the SmartAcme instance, sets up the ACME client, and registers the account with Let's Encrypt.
- **stop()**: Closes the MongoDB connection and performs any necessary cleanup.
- **getCertificateForDomain(domainArg: string)**: Retrieves or obtains a certificate for the specified domain name. If a valid certificate exists in the database, it is returned. Otherwise, a new certificate is requested and stored.

### Handling Domain Matching

The `SmartacmeCertMatcher` class is responsible for matching certificates with the broadest scope for wildcard certificates. The `getCertificateDomainNameByDomainName` method ensures that domains at various levels are correctly matched.

```typescript
import { SmartacmeCertMatcher } from '@push.rocks/smartacme';

const certMatcher = new SmartacmeCertMatcher();
const certDomainName = certMatcher.getCertificateDomainNameByDomainName('subdomain.example.com');
console.log('Certificate Domain Name:', certDomainName); // Output: example.com
```

### Testing

Sample tests are provided in the `test` directory. They demonstrate core functionality using the `MemoryCertManager` and built-in challenge handlers. To run all tests, use:

```bash
pnpm test
```


This comprehensive guide ensures you can set up, manage, and test ACME certificates efficiently and effectively using `@push.rocks/smartacme`.

---

## License and Legal Information

This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license.md](license.md) file within this repository.

**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

### Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.

### Company Information

Task Venture Capital GmbH
Registered at District court Bremen HRB 35230 HB, Germany

For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.

By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.