From 07746d28bc4a9f838994eaeecfca3258e55f2f68 Mon Sep 17 00:00:00 2001 From: Igor Zornik Date: Thu, 2 May 2024 08:13:54 +0200 Subject: [PATCH 1/3] Set the retry after value from the renewal information response --- certificate/renewal.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/certificate/renewal.go b/certificate/renewal.go index 4f420301cb..55276ba367 100644 --- a/certificate/renewal.go +++ b/certificate/renewal.go @@ -21,6 +21,10 @@ type RenewalInfoRequest struct { // RenewalInfoResponse is a wrapper around acme.RenewalInfoResponse that provides a method for determining when to renew a certificate. type RenewalInfoResponse struct { acme.RenewalInfoResponse + + // RetryAfter header indicating the polling interval that the ACME server recommends. + // Conforming clients SHOULD query the renewalInfo URL again after the RetryAfter period has passed, as the server may provide a different suggestedWindow. + RetryAfter time.Duration } // ShouldRenewAt determines the optimal renewal time based on the current time (UTC),renewal window suggest by ARI, and the client's willingness to sleep. @@ -81,6 +85,14 @@ func (c *Certifier) GetRenewalInfo(req RenewalInfoRequest) (*RenewalInfoResponse if err != nil { return nil, err } + + if retry := resp.Header.Get("Retry-After"); retry != "" { + info.RetryAfter, err = time.ParseDuration(retry + "s") + if err != nil { + return nil, err + } + } + return &info, nil } From 60c85b590b139b893dba1eb28823ea9258cfb0cc Mon Sep 17 00:00:00 2001 From: Igor Zornik Date: Thu, 2 May 2024 08:15:19 +0200 Subject: [PATCH 2/3] Update unit tests --- certificate/renewal_test.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/certificate/renewal_test.go b/certificate/renewal_test.go index e883a40c82..9f20e374e1 100644 --- a/certificate/renewal_test.go +++ b/certificate/renewal_test.go @@ -50,6 +50,7 @@ func TestCertifier_GetRenewalInfo(t *testing.T) { } w.Header().Set("Content-Type", "application/json") + w.Header().Set("Retry-After", "21600") w.WriteHeader(http.StatusOK) _, wErr := w.Write([]byte(`{ "suggestedWindow": { @@ -76,6 +77,7 @@ func TestCertifier_GetRenewalInfo(t *testing.T) { assert.Equal(t, "2020-03-17T17:51:09Z", ri.SuggestedWindow.Start.Format(time.RFC3339)) assert.Equal(t, "2020-03-17T18:21:09Z", ri.SuggestedWindow.End.Format(time.RFC3339)) assert.Equal(t, "https://aricapable.ca/docs/renewal-advice/", ri.ExplanationURL) + assert.Equal(t, time.Duration(21600000000000), ri.RetryAfter) } func TestCertifier_GetRenewalInfo_errors(t *testing.T) { @@ -135,13 +137,14 @@ func TestRenewalInfoResponse_ShouldRenew(t *testing.T) { t.Run("Window is in the past", func(t *testing.T) { ri := RenewalInfoResponse{ - acme.RenewalInfoResponse{ + RenewalInfoResponse: acme.RenewalInfoResponse{ SuggestedWindow: acme.Window{ Start: now.Add(-2 * time.Hour), End: now.Add(-1 * time.Hour), }, ExplanationURL: "", }, + RetryAfter: 0, } rt := ri.ShouldRenewAt(now, 0) @@ -151,13 +154,14 @@ func TestRenewalInfoResponse_ShouldRenew(t *testing.T) { t.Run("Window is in the future", func(t *testing.T) { ri := RenewalInfoResponse{ - acme.RenewalInfoResponse{ + RenewalInfoResponse: acme.RenewalInfoResponse{ SuggestedWindow: acme.Window{ Start: now.Add(1 * time.Hour), End: now.Add(2 * time.Hour), }, ExplanationURL: "", }, + RetryAfter: 0, } rt := ri.ShouldRenewAt(now, 0) @@ -166,13 +170,14 @@ func TestRenewalInfoResponse_ShouldRenew(t *testing.T) { t.Run("Window is in the future, but caller is willing to sleep", func(t *testing.T) { ri := RenewalInfoResponse{ - acme.RenewalInfoResponse{ + RenewalInfoResponse: acme.RenewalInfoResponse{ SuggestedWindow: acme.Window{ Start: now.Add(1 * time.Hour), End: now.Add(2 * time.Hour), }, ExplanationURL: "", }, + RetryAfter: 0, } rt := ri.ShouldRenewAt(now, 2*time.Hour) @@ -182,13 +187,14 @@ func TestRenewalInfoResponse_ShouldRenew(t *testing.T) { t.Run("Window is in the future, but caller isn't willing to sleep long enough", func(t *testing.T) { ri := RenewalInfoResponse{ - acme.RenewalInfoResponse{ + RenewalInfoResponse: acme.RenewalInfoResponse{ SuggestedWindow: acme.Window{ Start: now.Add(1 * time.Hour), End: now.Add(2 * time.Hour), }, ExplanationURL: "", }, + RetryAfter: 0, } rt := ri.ShouldRenewAt(now, 59*time.Minute) From 481b1dc6f3ed0fba57e6e6914a1d84c6b79813a7 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Tue, 7 May 2024 18:46:21 +0200 Subject: [PATCH 3/3] review: add link to RFC --- certificate/renewal.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/certificate/renewal.go b/certificate/renewal.go index 55276ba367..66c93acba4 100644 --- a/certificate/renewal.go +++ b/certificate/renewal.go @@ -23,7 +23,9 @@ type RenewalInfoResponse struct { acme.RenewalInfoResponse // RetryAfter header indicating the polling interval that the ACME server recommends. - // Conforming clients SHOULD query the renewalInfo URL again after the RetryAfter period has passed, as the server may provide a different suggestedWindow. + // Conforming clients SHOULD query the renewalInfo URL again after the RetryAfter period has passed, + // as the server may provide a different suggestedWindow. + // https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-03#section-4.2 RetryAfter time.Duration }