Commit graph

10 commits

Author SHA1 Message Date
David Cowden
609e1312da acme/api: Write headers for invalid challenges
Include the "Link" and "Location" headers on invalid challenge
resources. An invalid challenge is still a perfectly acceptable
response.
2020-05-13 07:29:12 -07:00
David Cowden
2d0a00c4e1 acme/api: Add missing return
Stop execution when the error happens. This was previously a typo.
2020-05-11 21:22:40 -07:00
David Cowden
bdadea8a37 acme: go fmt 2020-05-07 09:27:16 -07:00
David Cowden
9af4dd3692 acme: Retry challenge validation attempts
Section 8.2 of RFC 8555 explains how retries apply to the validation
process. However, much is left up to the implementer.

Add retries every 12 seconds for 2 minutes after a client requests a
validation. The challenge status remains "processing" indefinitely until
a distinct conclusion is reached. This allows a client to continually
re-request a validation by sending a post-get to the challenge resource
until the process fails or succeeds.

Challenges in the processing state include information about why a
validation did not complete in the error field. The server also includes
a Retry-After header to help clients and servers coordinate.

Retries are inherently stateful because they're part of the public API.
When running step-ca in a highly available setup with replicas, care
must be taken to maintain a persistent identifier for each instance
"slot". In kubernetes, this implies a *stateful set*.
2020-05-06 07:39:13 -07:00
Wesley Graham
8d4356733e Implement standard backoff strategy 2020-04-30 04:44:08 -07:00
Wesley Graham
f9779d0bed Polish retry conditions 2020-04-30 04:44:08 -07:00
Wesley Graham
66b2c4b1a4 Add automated challenge retries, RFC 8555 2020-04-30 04:44:08 -07:00
Wesley Graham
40d7c42e33 Implement acme RFC 8555, challenge retries 2020-04-30 04:44:08 -07:00
max furman
d368791606 Add x5c provisioner capabilities 2019-10-14 14:51:37 -07:00
max furman
e3826dd1c3 Add ACME CA capabilities 2019-09-13 15:48:33 -07:00