aboutsummaryrefslogtreecommitdiffstats
path: root/client
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-30 19:57:12 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-30 20:14:14 +0200
commita9a6208f5c7e0f73fd8b370f99f5c8f58e6b381c (patch)
tree274bea32292bdfc3025353665a771e7cdf9ab237 /client
parent79e06aeb557e0af7564d64987600ca2138ce04c3 (diff)
Honor Retry-After headers for certificate issuance and challenge responses.
Diffstat (limited to 'client')
-rwxr-xr-xclient33
1 files changed, 23 insertions, 10 deletions
diff --git a/client b/client
index 46f388f..3bf0bad 100755
--- a/client
+++ b/client
@@ -257,6 +257,7 @@ elsif ($COMMAND =~ /\Areg=(\p{Print}+)\Z/) {
#
elsif ($COMMAND eq 'new-cert') {
die unless @ARGV;
+ my $timeout = $CONFIG->{timeout} // 10;
foreach my $domain (@ARGV) {
print STDERR "Processing new DNS authz for $domain\n" if $ENV{DEBUG};
my $r = acme_resource('new-authz', identifier => {type => 'dns', value => $domain});
@@ -288,7 +289,7 @@ elsif ($COMMAND eq 'new-cert') {
$content = request_json_decode($r),
$status = $content->{status} // 'pending',
$status ne 'valid';
- $r = request('GET' => $challenge->{uri}), $i++ ) {
+ $r = request('GET' => $challenge->{uri})) {
if (defined (my $problem = $content->{error})) { # problem document (RFC 7807)
my $msg = $problem->{status};
$msg .= " " .$problem->{title} if defined $problem->{title};
@@ -296,9 +297,16 @@ elsif ($COMMAND eq 'new-cert') {
die $msg, "\n";
}
die "Error: Invalid challenge for $domain (status: ".$status.")\n" if $status ne 'pending';
- die "Timeout exceeded while waiting for challenge to pass ($domain)\n"
- if $i >= ($CONFIG->{timeout} // 10);
- sleep 1;
+
+ my $sleep = 1;
+ if (defined (my $retry_after = $r->header('Retry-After'))) {
+ print STDERR "Retrying after $retry_after seconds...\n";
+ $sleep = $retry_after;
+ }
+
+ $i += $sleep;
+ die "Timeout exceeded while waiting for challenge to pass ($domain)\n" if $timeout > 0 and $i >= $timeout;
+ sleep $sleep;
}
}
@@ -309,12 +317,17 @@ elsif ($COMMAND eq 'new-cert') {
# https://acme-v01.api.letsencrypt.org/acme/cert/$serial
print STDERR "Certificate URI: $uri\n";
- # wait for the cert
- for (my $i = 0; $r->decoded_content() eq ''; $r = request('GET' => $uri), $i++) {
- die request_status_line($r), "\n" unless $r->is_success();
- die "Timeout exceeded while waiting for certificate\n"
- if $i >= ($CONFIG->{timeout} // 10);
- sleep 1;
+ if ($r->decoded_content() eq '') { # wait for the cert
+ for (my $i = 0;;) {
+ $r = request('GET' => $uri);
+ die request_status_line($r), "\n" unless $r->is_success();
+ last unless $r->code == 202; # Accepted
+ my $retry_after = $r->header('Retry-After') // 1;
+ print STDERR "Retrying after $retry_after seconds...\n";
+ $i += $retry_after;
+ die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout;
+ sleep $retry_after;
+ }
}
my $der = $r->decoded_content();