Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retry-After headers are ignored during challenge validation #5293

Closed
miken32 opened this issue Sep 18, 2024 · 1 comment
Closed

Retry-After headers are ignored during challenge validation #5293

miken32 opened this issue Sep 18, 2024 · 1 comment

Comments

@miken32
Copy link

miken32 commented Sep 18, 2024

More of a feature request than a bug. While checking the status of a processing authorization, Retry-After headers that the server sends are ignored. Instead a fixed 2 second retry interval is used. There is some code in _send_signed_request() to deal with these headers but it's only triggered by an error response.

The RFC doesn't explicitly require clients to obey the header:

7.5.1. Responding to Challenges
...
To check on the status of an authorization, the client sends a POST-
as-GET request to the authorization URL, and the server responds with
the current authorization object. In responding to poll requests
while the validation is still in progress, the server MUST return a
200 (OK) response and MAY include a Retry-After header field to
suggest a polling interval to the client.

But it might be nice. Implementing this would also necessitate a change in the number of max attempts from 30 to something dynamic.

I'd submit a PR but, even as someone pretty familiar with shell scripting, I find this code pretty bewildering.

Debug log

Note the response headers contain a retry-after header, but the retry interval is set to 2 seconds.

[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_send_signed_request:2241        responseHeaders='HTTP/2 200 
server: nginx/1.26.2
content-type: application/json
x-powered-by: PHP/8.3.11
retry-after: 30
cache-control: no-cache, private
date: Wed, 18 Sep 2024 23:11:13 GMT
replay-nonce: wpUoY-KwoM_nD4Xdeex2hTF9drgUiw_nEH-3_v-LurI
link: <https://localhost/acme>;rel="index"
'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_send_signed_request:2244        code='200'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_send_signed_request:2246        original='{"identifier":{"type":"dns","value":"adsf.example.com"},"status":"pending","expires":"2024-09-18T23:16:04+00:00","challenges":[{"type":"http-01","url":"https:\/\/localhost\/acme\/challenge\/43","status":"processing","token":"ik8T3lPPcNlrHkGW4PJJEetQLsLEZHjBU1OuVrp7zjVz0gRUHfXFKN5Ay6eY91bhSbCLoLjzJ7EPwYJchKGgkw"},{"type":"dns-01","url":"https:\/\/localhost\/acme\/challenge\/44","status":"pending","token":"Zy7ESKs7Mi43aDr-CvHzQd7dQ6qzy275XOwB3UaLanOG3_xrczAc50TEjMN-monIz7IDi2_PvZ__5HQAZSO3Ww"}]}'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_json_decode:902                 _json_decode
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_json_decode:903                 _j_str='{"identifier":{"type":"dns","value":"adsf.example.com"},"status":"pending","expires":"2024-09-18T23:16:04+00:00","challenges":[{"type":"http-01","url":"https://localhost/acme/challenge/43","status":"processing","token":"ik8T3lPPcNlrHkGW4PJJEetQLsLEZHjBU1OuVrp7zjVz0gRUHfXFKN5Ay6eY91bhSbCLoLjzJ7EPwYJchKGgkw"},{"type":"dns-01","url":"https://localhost/acme/challenge/44","status":"pending","token":"Zy7ESKs7Mi43aDr-CvHzQd7dQ6qzy275XOwB3UaLanOG3_xrczAc50TEjMN-monIz7IDi2_PvZ__5HQAZSO3Ww"}]}'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:_send_signed_request:2250        response='{"identifier":{"type":"dns","value":"adsf.example.com"},"status":"pending","expires":"2024-09-18T23:16:04+00:00","challenges":[{"type":"http-01","url":"https://localhost/acme/challenge/43","status":"processing","token":"ik8T3lPPcNlrHkGW4PJJEetQLsLEZHjBU1OuVrp7zjVz0gRUHfXFKN5Ay6eY91bhSbCLoLjzJ7EPwYJchKGgkw"},{"type":"dns-01","url":"https://localhost/acme/challenge/44","status":"pending","token":"Zy7ESKs7Mi43aDr-CvHzQd7dQ6qzy275XOwB3UaLanOG3_xrczAc50TEjMN-monIz7IDi2_PvZ__5HQAZSO3Ww"}]}'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:issue:5053                       original='{"identifier":{"type":"dns","value":"adsf.example.com"},"status":"pending","expires":"2024-09-18T23:16:04+00:00","challenges":[{"type":"http-01","url":"https://localhost/acme/challenge/43","status":"processing","token":"ik8T3lPPcNlrHkGW4PJJEetQLsLEZHjBU1OuVrp7zjVz0gRUHfXFKN5Ay6eY91bhSbCLoLjzJ7EPwYJchKGgkw"},{"type":"dns-01","url":"https://localhost/acme/challenge/44","status":"pending","token":"Zy7ESKs7Mi43aDr-CvHzQd7dQ6qzy275XOwB3UaLanOG3_xrczAc50TEjMN-monIz7IDi2_PvZ__5HQAZSO3Ww"}]}'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:issue:5056                       response='{"identifier":{"type":"dns","value":"adsf.example.com"},"status":"pending","expires":"2024-09-18T23:16:04+00:00","challenges":[{"type":"http-01","url":"https://localhost/acme/challenge/43","status":"processing","token":"ik8T3lPPcNlrHkGW4PJJEetQLsLEZHjBU1OuVrp7zjVz0gRUHfXFKN5Ay6eY91bhSbCLoLjzJ7EPwYJchKGgkw"},{"type":"dns-01","url":"https://localhost/acme/challenge/44","status":"pending","token":"Zy7ESKs7Mi43aDr-CvHzQd7dQ6qzy275XOwB3UaLanOG3_xrczAc50TEjMN-monIz7IDi2_PvZ__5HQAZSO3Ww"}]}'
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:issue:5059                       status='pending
processing
pending'
[Wed 18 Sep 2024 17:11:13 MDT] Pending. The CA is processing your order, please wait. (3/30)
[Wed 18 Sep 2024 17:11:13 MDT] acme.sh:issue:5101                       Sleep 2 seconds before verifying again
@github-actions GitHub Actions
Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miken32