-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: attempt to check ARI unless explicitly disabled #2298
Conversation
I don't merge the PR because I have doubts about the impact of this PR: I don't see any problem with doing this with LE, but I wonder about the ACME servers. 🤔 I'm torn between having a better default value, but that can introduce a change that may upset a large number of users, or just keeping the current option. |
Oh, interesting! I figured that this was reasonably safe given that use of ARI is actually gated on whether or not the CA includes a |
You are right, I missed that Lines 212 to 217 in 19b535c
Lines 282 to 287 in 19b535c
I don't want to have the same problem as before: #2138 |
If we change these to |
🤔 maybe we can move the call to Lines 154 to 164 in 19b535c
Lines 253 to 263 in 19b535c
|
something like that: var replacesCertID string
var ariRenewalTime *time.Time
if ctx.Bool(flgARIEnable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil {
now := time.Now().UTC()
// Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now))
}
}
replacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
}
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
return nil
}
...
if replacesCertID != "" {
request.ReplacesCertID = replacesCertID
} |
434d607
to
ede2825
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* volcengine: set API information within the default configuration (go-acme#2308) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * limacity: fix error message (go-acme#2310) * Add DNS provider for Core-Networks (go-acme#2101) * chore: update readme generator (go-acme#2311) * chore: fix readme generator (go-acme#2312) * chore: embed templates for internal commands (go-acme#2314) * chore: improve internal release command (go-acme#2315) * fix: parse printf verbs in log line output (go-acme#2317) * Add DNS provider for Regfish (go-acme#2320) * chore: update dependencies (go-acme#2321) * selectelv2: fix non-ASCII domain (go-acme#2322) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * brandit: provider deprecation (go-acme#2116) * cloudxns: provider deprecation (go-acme#2324) * chore: update issue templates * docs: use homogenous examples (go-acme#2328) * regru: update authentication method (go-acme#2325) * rfc2136: add support for tsig-keygen generated file (go-acme#2330) Co-authored-by: Dominik Menke <git@dmke.org> * Add DNS provider for Technitium (go-acme#2332) * feat: skip the TLS verification of the ACME server (go-acme#2335) * docs: add documentation for env var only options (go-acme#2337) * docs: update least privilege instructions for Cloudflare (go-acme#2339) * feat: attempt to check ARI unless explicitly disabled (go-acme#2298) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * chore: domain merge simplification (go-acme#2340) * chore: update linter (go-acme#2341) * Prepare release v4.20.0 * Detach v4.20.0 * Prepare release v4.20.1 * Detach v4.20.1 * Prepare release v4.20.2 * Detach v4.20.2 * fix: HTTP server IPv6 matching (go-acme#2345) * docs: improve changelog style (go-acme#2346) * docs: fix typos --------- Co-authored-by: 刘瑞斌 <bin@fit2cloud.com> Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> Co-authored-by: Dominik Menke <dom@digineo.de> Co-authored-by: Frederic Hemberger <fhemberger@users.noreply.github.com> Co-authored-by: Artem Chirkov <45077592+Archirk@users.noreply.github.com> Co-authored-by: Maksim Kamanin <79706809+tcaty@users.noreply.github.com> Co-authored-by: Dominik Menke <git@dmke.org> Co-authored-by: Josh McKinney <joshka@users.noreply.github.com> Co-authored-by: Samantha Frank <hello@entropy.cat>
With draft-ietf-acme-ari now in IETF Working Group Last Call—the final step before becoming an RFC—it is reasonable to enable ARI checks by default.