Browse Source

uacme: add retries

Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.

The waiting pause is:
-  2 minutes for staging certificates
- 24 minutes for production certificates

The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging:   60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.

This means that we are within rate limits by a factor of two.

By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.

This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.

Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
lilik-openwrt-22.03
Leonardo Mörlein 4 years ago
committed by Rosen Penev
parent
commit
24ddf22073
1 changed files with 46 additions and 2 deletions
  1. +46
    -2
      net/uacme/files/run.sh

+ 46
- 2
net/uacme/files/run.sh View File

@ -236,7 +236,7 @@ issue_cert()
UPDATE_HAPROXY=$update_haproxy UPDATE_HAPROXY=$update_haproxy
USER_CLEANUP=$user_cleanup USER_CLEANUP=$user_cleanup
[ "$enabled" -eq "1" ] || return
[ "$enabled" -eq "1" ] || return 0
if [ "$APP" = "uacme" ]; then if [ "$APP" = "uacme" ]; then
[ "$DEBUG" -eq "1" ] && debug="--verbose --verbose" [ "$DEBUG" -eq "1" ] && debug="--verbose --verbose"
@ -395,6 +395,50 @@ issue_cert()
post_checks post_checks
} }
issue_cert_with_retries() {
local section="$1"
local use_staging
local retries
local infinite_retries
config_get_bool use_staging "$section" use_staging
config_get retries "$section" retries
[ -z "$retries" ] && retries=1
[ "$retries" -eq "0" ] && infinite_retries=1
while true; do
issue_cert "$1"; ret=$?
if [ "$ret" -eq "2" ]; then
# An error occurred while retrieving the certificate.
retries="$((retries-1))"
if [ -z "$infinite_retries" ] && [ "$retries" -lt "1" ]; then
log "An error occurred while retrieving the certificate. Retries exceeded."
return "$ret"
fi
if [ "$use_staging" -eq "1" ]; then
# The "Failed Validations" limit of LetsEncrypt is 60 per hour. This
# means one failure every minute. Here we wait 2 minutes to be within
# limits for sure.
sleeptime=120
else
# There is a "Failed Validation" limit of LetsEncrypt is 5 failures per
# account, per hostname, per hour. This means one failure every 12
# minutes. Here we wait 25 minutes to be within limits for sure.
sleeptime=1500
fi
log "An error occurred while retrieving the certificate. Retrying in $sleeptime seconds."
sleep "$sleeptime"
continue
else
return "$ret";
fi
done
}
load_vars() load_vars()
{ {
local section="$1" local section="$1"
@ -426,7 +470,7 @@ trap err_out HUP TERM
trap int_out INT trap int_out INT
if [ -z "$INCLUDE_ONLY" ]; then if [ -z "$INCLUDE_ONLY" ]; then
config_foreach issue_cert cert
config_foreach issue_cert_with_retries cert
exit 0 exit 0
fi fi

Loading…
Cancel
Save