ol.clave.automation.impl.config
resolve-config
(resolve-config system domain)
Merge global config with per-domain overrides.
Returns the resolved configuration for a specific domain by merging the global config with any per-domain overrides from config-fn.
If config-fn is nil or returns nil, returns the global config unchanged.
| key | description |
|----------|-----------------------------------------------------------|
| system | System map containing :config and optional :config-fn |
| domain | Domain name to resolve configuration for |
select-issuer
(select-issuer config)
Select issuers based on the issuer-selection policy.
Returns the issuers in the appropriate order based on :issuer-selection:
- :in-order (default) - return issuers in original order
- :shuffle - return issuers in random order
| key | description |
|----------|----------------------------------------------------------------|
| config | Configuration with :issuers and optional :issuer-selection |
default-config
(default-config)
Returns the default configuration for the automation layer.
Default values: - Issuer: Let’s Encrypt production - Key type: P256 (ECDSA) - OCSP: enabled, must-staple disabled - ARI: enabled - Key reuse: disabled - Cache capacity: unlimited
issuer-key-from-url
(issuer-key-from-url url)
Extract issuer key from directory URL.
Returns a unique identifier for the issuer based on the URL’s host and path.
| key | description |
|-------|--------------------|
| url | ACME directory URL |
cert-storage-key
(cert-storage-key issuer-key domain)
Generate storage key for a certificate PEM file.
Format: certificates/{issuer-key}/{domain}/{domain}.crt
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| domain | Primary domain name |
key-storage-key
(key-storage-key issuer-key domain)
Generate storage key for a private key PEM file.
Format: certificates/{issuer-key}/{domain}/{domain}.key
| key | description |
|-----|-------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| domain | Primary domain name |
meta-storage-key
(meta-storage-key issuer-key domain)
Generate storage key for certificate metadata EDN file.
Format: certificates/{issuer-key}/{domain}/{domain}.edn
| key | description |
|-----|-------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| domain | Primary domain name |
certs-prefix
(certs-prefix issuer-key)
Generate storage prefix for listing certificates under an issuer.
Format: certificates/{issuer-key}
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
account-private-key-storage-key
(account-private-key-storage-key issuer-key)
Generate storage key for an account private key PEM file.
Format: accounts/{issuer-key}/account.key
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
account-public-key-storage-key
(account-public-key-storage-key issuer-key)
Generate storage key for an account public key PEM file.
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
account-registration-storage-key
(account-registration-storage-key issuer-key)
Generate storage key for account registration EDN.
Format: accounts/{issuer-key}/registration.edn
Contains the account KID (URL) returned by the CA after registration, allowing subsequent operations to skip the newAccount call.
ocsp-storage-key
(ocsp-storage-key issuer-key domain)
Generate storage key for an OCSP staple file.
Format: certificates/{issuer-key}/{domain}/{domain}.ocsp
The OCSP staple is stored as raw DER-encoded bytes.
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| domain | Primary domain name |
compromised-key-storage-key
(compromised-key-storage-key domain timestamp)
Generate storage key for archiving a compromised private key.
Format: keys/{domain}.compromised.{timestamp}
Compromised keys are archived for audit purposes and never reused.
| key | description |
|-------------|----------------------------------------------------|
| domain | Primary domain name |
| timestamp | ISO-8601 timestamp when key was marked compromised |
ari-storage-key
(ari-storage-key issuer-key domain)
Generate storage key for ARI (ACME Renewal Information) data.
Format: certificates/{issuer-key}/{domain}/{domain}.ari.edn
The ARI data is stored as EDN containing suggested-window, selected-time, and retry-after.
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| domain | Primary domain name |
challenge-token-storage-key
(challenge-token-storage-key issuer-key identifier)
Generate storage key for a challenge token (distributed solving).
Format: challenge_tokens/{issuer-key}/{identifier}.edn
Used to store challenge data so any instance in a cluster can serve the challenge response for HTTP-01 or TLS-ALPN-01 validation.
| key | description |
|--------------|-------------------------------------------------|
| issuer-key | Issuer identifier (hostname from directory URL) |
| identifier | Domain or IP address being validated |
select-chain
(select-chain preference chains)
Select a certificate chain based on preference.
Preferences:
- :any (default) - return first chain offered
- :shortest - return chain with fewest certificates
- {:root "Root CA Name"} - return chain with matching root name
Returns nil if chains is empty. Falls back to first chain if root name not found.
| key | description |
|--------------|---------------------------------------------------------------|
| preference | Chain preference (:any, :shortest, or {:root name}) |
| chains | Sequence of chain maps with :chain (certs) and :root-name |