feat: add option to handle the overall request limit (#2209)

This commit is contained in:
Ludovic Fernandez 2024-06-13 22:48:04 +02:00 committed by GitHub
parent 69cacab700
commit c63be848f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 41 additions and 21 deletions

View file

@ -7,19 +7,10 @@ import (
"github.com/go-acme/lego/v4/log" "github.com/go-acme/lego/v4/log"
) )
const (
// overallRequestLimit is the overall number of request per second
// limited on the "new-reg", "new-authz" and "new-cert" endpoints.
// From the documentation the limitation is 20 requests per second,
// but using 20 as value doesn't work but 18 do.
// https://letsencrypt.org/docs/rate-limits/
overallRequestLimit = 18
)
func (c *Certifier) getAuthorizations(order acme.ExtendedOrder) ([]acme.Authorization, error) { func (c *Certifier) getAuthorizations(order acme.ExtendedOrder) ([]acme.Authorization, error) {
resc, errc := make(chan acme.Authorization), make(chan domainError) resc, errc := make(chan acme.Authorization), make(chan domainError)
delay := time.Second / overallRequestLimit delay := time.Second / time.Duration(c.overallRequestLimit)
for _, authzURL := range order.Authorizations { for _, authzURL := range order.Authorizations {
time.Sleep(delay) time.Sleep(delay)

View file

@ -22,6 +22,17 @@ import (
"golang.org/x/net/idna" "golang.org/x/net/idna"
) )
const (
// DefaultOverallRequestLimit is the overall number of request per second
// limited on the "new-reg", "new-authz" and "new-cert" endpoints.
// From the documentation the limitation is 20 requests per second,
// but using 20 as value doesn't work but 18 do.
// https://letsencrypt.org/docs/rate-limits/
// ZeroSSL has a limit of 7.
// https://help.zerossl.com/hc/en-us/articles/17864245480093-Advantages-over-Using-Let-s-Encrypt#h_01HT4Z1JCJFJQFJ1M3P7S085Q9
DefaultOverallRequestLimit = 18
)
// maxBodySize is the maximum size of body that we will read. // maxBodySize is the maximum size of body that we will read.
const maxBodySize = 1024 * 1024 const maxBodySize = 1024 * 1024
@ -96,6 +107,7 @@ type resolver interface {
type CertifierOptions struct { type CertifierOptions struct {
KeyType certcrypto.KeyType KeyType certcrypto.KeyType
Timeout time.Duration Timeout time.Duration
OverallRequestLimit int
} }
// Certifier A service to obtain/renew/revoke certificates. // Certifier A service to obtain/renew/revoke certificates.
@ -103,15 +115,23 @@ type Certifier struct {
core *api.Core core *api.Core
resolver resolver resolver resolver
options CertifierOptions options CertifierOptions
overallRequestLimit int
} }
// NewCertifier creates a Certifier. // NewCertifier creates a Certifier.
func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier { func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier {
return &Certifier{ c := &Certifier{
core: core, core: core,
resolver: resolver, resolver: resolver,
options: options, options: options,
} }
c.overallRequestLimit = options.OverallRequestLimit
if c.overallRequestLimit <= 0 {
c.overallRequestLimit = DefaultOverallRequestLimit
}
return c
} }
// Obtain tries to obtain a single certificate using all domains passed into it. // Obtain tries to obtain a single certificate using all domains passed into it.

View file

@ -3,6 +3,7 @@ package cmd
import ( import (
"time" "time"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/lego"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"software.sslmate.com/src/go-pkcs12" "software.sslmate.com/src/go-pkcs12"
@ -154,6 +155,11 @@ func CreateFlags(defaultPath string) []cli.Flag {
Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.", Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.",
Value: 30, Value: 30,
}, },
&cli.IntFlag{
Name: "overall-request-limit",
Usage: "ACME overall requests limit.",
Value: certificate.DefaultOverallRequestLimit,
},
&cli.StringFlag{ &cli.StringFlag{
Name: "user-agent", Name: "user-agent",
Usage: "Add to the user-agent sent to the CA to identify an application embedding lego-cli", Usage: "Add to the user-agent sent to the CA to identify an application embedding lego-cli",

View file

@ -40,6 +40,7 @@ func newClient(ctx *cli.Context, acc registration.User, keyType certcrypto.KeyTy
config.Certificate = lego.CertificateConfig{ config.Certificate = lego.CertificateConfig{
KeyType: keyType, KeyType: keyType,
Timeout: time.Duration(ctx.Int("cert.timeout")) * time.Second, Timeout: time.Duration(ctx.Int("cert.timeout")) * time.Second,
OverallRequestLimit: ctx.Int("overall-request-limit"),
} }
config.UserAgent = getUserAgent(ctx) config.UserAgent = getUserAgent(ctx)

View file

@ -48,6 +48,7 @@ GLOBAL OPTIONS:
--pfx.pass value The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD] --pfx.pass value The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
--pfx.format value The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] --pfx.format value The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) --cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--overall-request-limit value ACME overall requests limit. (default: 18)
--user-agent value Add to the user-agent sent to the CA to identify an application embedding lego-cli --user-agent value Add to the user-agent sent to the CA to identify an application embedding lego-cli
--help, -h show help --help, -h show help
""" """

View file

@ -53,7 +53,7 @@ func NewClient(config *Config) (*Client, error) {
solversManager := resolver.NewSolversManager(core) solversManager := resolver.NewSolversManager(core)
prober := resolver.NewProber(solversManager) prober := resolver.NewProber(solversManager)
certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout}) certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout, OverallRequestLimit: config.Certificate.OverallRequestLimit})
return &Client{ return &Client{
Certificate: certifier, Certificate: certifier,

View file

@ -63,6 +63,7 @@ func NewConfig(user registration.User) *Config {
type CertificateConfig struct { type CertificateConfig struct {
KeyType certcrypto.KeyType KeyType certcrypto.KeyType
Timeout time.Duration Timeout time.Duration
OverallRequestLimit int
} }
// createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value // createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value