1 files changed, 32 insertions, 12 deletions

diff --git a/client b/client
index 2566c9b..3bf0bad 100755
--- a/client
+++ b/client
@@ -257,6 +257,7 @@ elsif ($COMMAND =~ /\Areg=(\p{Print}+)\Z/) {
 #
 elsif ($COMMAND eq 'new-cert') {
     die unless @ARGV;
+    my $timeout = $CONFIG->{timeout} // 10;
     foreach my $domain (@ARGV) {
         print STDERR "Processing new DNS authz for $domain\n" if $ENV{DEBUG};
         my $r = acme_resource('new-authz', identifier => {type => 'dns', value => $domain});
@@ -284,14 +285,28 @@ elsif ($COMMAND eq 'new-cert') {
             keyAuthorization => $keyAuthorization
         });
         # wait until the status become 'valid'
-        for ( my $i = 0, my $status;
-              $status = request_json_decode($r)->{status} // 'pending',
+        for ( my $i = 0, my $content, my $status;
+              $content = request_json_decode($r),
+              $status = $content->{status} // 'pending',
               $status ne 'valid';
-              $r = request('GET' => $challenge->{uri}), $i++ ) {
+              $r = request('GET' => $challenge->{uri})) {
+            if (defined (my $problem = $content->{error})) { # problem document (RFC 7807)
+                my $msg = $problem->{status};
+                $msg .= " " .$problem->{title}      if defined $problem->{title};
+                $msg .= " (".$problem->{detail}.")" if defined $problem->{detail};
+                die $msg, "\n";
+            }
             die "Error: Invalid challenge for $domain (status: ".$status.")\n" if $status ne 'pending';
-            die "Timeout exceeded while waiting for challenge to pass ($domain)\n"
-                if $i >= ($CONFIG->{timeout} // 10);
-            sleep 1;
+
+            my $sleep = 1;
+            if (defined (my $retry_after = $r->header('Retry-After'))) {
+                print STDERR "Retrying after $retry_after seconds...\n";
+                $sleep = $retry_after;
+            }
+
+            $i += $sleep;
+            die "Timeout exceeded while waiting for challenge to pass ($domain)\n" if $timeout > 0 and $i >= $timeout;
+            sleep $sleep;
         }
     }
 
@@ -302,12 +317,17 @@ elsif ($COMMAND eq 'new-cert') {
     # https://acme-v01.api.letsencrypt.org/acme/cert/$serial
     print STDERR "Certificate URI: $uri\n";
 
-    # wait for the cert
-    for (my $i = 0; $r->decoded_content() eq ''; $r = request('GET' => $uri), $i++) {
-        die request_status_line($r), "\n" unless $r->is_success();
-        die "Timeout exceeded while waiting for certificate\n"
-            if $i >= ($CONFIG->{timeout} // 10);
-        sleep 1;
+    if ($r->decoded_content() eq '') { # wait for the cert
+        for (my $i = 0;;) {
+            $r = request('GET' => $uri);
+            die request_status_line($r), "\n" unless $r->is_success();
+            last unless $r->code == 202; # Accepted
+            my $retry_after = $r->header('Retry-After') // 1;
+            print STDERR "Retrying after $retry_after seconds...\n";
+            $i += $retry_after;
+            die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout;
+            sleep $retry_after;
+        }
     }
     my $der = $r->decoded_content();