Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: attempt to check ARI unless explicitly disabled #2298

Merged
merged 2 commits into from
Nov 11, 2024

Conversation

beautifulentropy
Copy link
Contributor

With draft-ietf-acme-ari now in IETF Working Group Last Call—the final step before becoming an RFC—it is reasonable to enable ARI checks by default.

@beautifulentropy beautifulentropy changed the title Use ARI unless explicitly disabled When available, check ARI unless explicitly disabled Oct 10, 2024
@ldez ldez added the area/ari ACME Renewal Information Extension label Oct 10, 2024
@ldez ldez self-requested a review October 10, 2024 15:05
@beautifulentropy beautifulentropy changed the title When available, check ARI unless explicitly disabled Attempt to check ARI unless explicitly disabled Oct 10, 2024
@ldez ldez added this to the v4.20 milestone Oct 14, 2024
@ldez
Copy link
Member

ldez commented Oct 21, 2024

I don't merge the PR because I have doubts about the impact of this PR: I don't see any problem with doing this with LE, but I wonder about the ACME servers. 🤔

I'm torn between having a better default value, but that can introduce a change that may upset a large number of users, or just keeping the current option.

@beautifulentropy
Copy link
Contributor Author

beautifulentropy commented Oct 21, 2024

I don't merge the PR because I have doubts about the impact of this PR: I don't see any problem with doing this with LE, but I wonder about the ACME servers. 🤔

I'm torn between having a better default value, but that can introduce a change that may upset a large number of users, or just keeping the current option.

Oh, interesting! I figured that this was reasonably safe given that use of ARI is actually gated on whether or not the CA includes a renewalInfo field in its directory object per draft-ietf-acme-ari-06#section-3. I'd be curious to hear your concerns @ldez.

@ldez
Copy link
Member

ldez commented Oct 21, 2024

You are right, I missed that api.ErrNoARI is managed but there are several elements related to the flag:

lego/cmd/cmd_renew.go

Lines 212 to 217 in 19b535c

if ctx.Bool(flgARIEnable) {
request.ReplacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
}

lego/cmd/cmd_renew.go

Lines 282 to 287 in 19b535c

if ctx.Bool(flgARIEnable) {
request.ReplacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
}

I don't want to have the same problem as before: #2138

@beautifulentropy
Copy link
Contributor Author

beautifulentropy commented Oct 21, 2024

If we change these to log.Warnf and continue using the default renewal logic would that be sufficient?

@ldez
Copy link
Member

ldez commented Oct 21, 2024

🤔 maybe we can move the call to MakeARICertID inside the first if

lego/cmd/cmd_renew.go

Lines 154 to 164 in 19b535c

if ctx.Bool(flgARIEnable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil {
now := time.Now().UTC()
// Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now))
}
}
}

lego/cmd/cmd_renew.go

Lines 253 to 263 in 19b535c

if ctx.Bool(flgARIEnable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil {
now := time.Now().UTC()
// Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now))
}
}
}

@ldez
Copy link
Member

ldez commented Oct 21, 2024

something like that:

	var replacesCertID string
	var ariRenewalTime *time.Time
	if ctx.Bool(flgARIEnable) {
		ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
		if ariRenewalTime != nil {
			now := time.Now().UTC()
			// Figure out if we need to sleep before renewing.
			if ariRenewalTime.After(now) {
				log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
				time.Sleep(ariRenewalTime.Sub(now))
			}
		}

		replacesCertID, err = certificate.MakeARICertID(cert)
		if err != nil {
			log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
		}
	}

	if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
		return nil
	}
...

	if replacesCertID != "" {
		request.ReplacesCertID = replacesCertID
	}

@ldez ldez force-pushed the use-ari-by-default branch from 434d607 to ede2825 Compare November 11, 2024 00:07
@ldez ldez changed the title Attempt to check ARI unless explicitly disabled feat: attempt to check ARI unless explicitly disabled Nov 11, 2024
@ldez ldez added the breaking-change Require or introduce a breaking change. label Nov 11, 2024
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez merged commit 98371c4 into go-acme:master Nov 11, 2024
7 checks passed
@ldez ldez added the area/cli label Nov 11, 2024
usarise added a commit to usarise/lego that referenced this pull request Nov 12, 2024
* volcengine: set API information within the default configuration (go-acme#2308)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>

* limacity: fix error message (go-acme#2310)

* Add DNS provider for Core-Networks (go-acme#2101)

* chore: update readme generator (go-acme#2311)

* chore: fix readme generator (go-acme#2312)

* chore: embed templates for internal commands (go-acme#2314)

* chore: improve internal release command (go-acme#2315)

* fix: parse printf verbs in log line output (go-acme#2317)

* Add DNS provider for Regfish (go-acme#2320)

* chore: update dependencies (go-acme#2321)

* selectelv2: fix non-ASCII domain (go-acme#2322)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>

* brandit: provider deprecation (go-acme#2116)

* cloudxns: provider deprecation (go-acme#2324)

* chore: update issue templates

* docs: use homogenous examples (go-acme#2328)

* regru: update authentication method (go-acme#2325)

* rfc2136: add support for tsig-keygen generated file (go-acme#2330)

Co-authored-by: Dominik Menke <git@dmke.org>

* Add DNS provider for Technitium (go-acme#2332)

* feat: skip the TLS verification of the ACME server (go-acme#2335)

* docs: add documentation for env var only options (go-acme#2337)

* docs: update least privilege instructions for Cloudflare (go-acme#2339)

* feat: attempt to check ARI unless explicitly disabled (go-acme#2298)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>

* chore: domain merge simplification (go-acme#2340)

* chore: update linter (go-acme#2341)

* Prepare release v4.20.0

* Detach v4.20.0

* Prepare release v4.20.1

* Detach v4.20.1

* Prepare release v4.20.2

* Detach v4.20.2

* fix: HTTP server IPv6 matching (go-acme#2345)

* docs: improve changelog style (go-acme#2346)

* docs: fix typos

---------

Co-authored-by: 刘瑞斌 <bin@fit2cloud.com>
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
Co-authored-by: Dominik Menke <dom@digineo.de>
Co-authored-by: Frederic Hemberger <fhemberger@users.noreply.github.com>
Co-authored-by: Artem Chirkov <45077592+Archirk@users.noreply.github.com>
Co-authored-by: Maksim Kamanin <79706809+tcaty@users.noreply.github.com>
Co-authored-by: Dominik Menke <git@dmke.org>
Co-authored-by: Josh McKinney <joshka@users.noreply.github.com>
Co-authored-by: Samantha Frank <hello@entropy.cat>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/ari ACME Renewal Information Extension area/cli breaking-change Require or introduce a breaking change. enhancement
Development

Successfully merging this pull request may close these issues.

2 participants