Add configurable timeout when obtaining certificates. (#747)

This commit is contained in:
Ludovic Fernandez 2019-01-09 08:29:17 +01:00 committed by GitHub
parent b1fd570987
commit 7e1f4948ec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 68 additions and 51 deletions

View file

@ -98,6 +98,7 @@ GLOBAL OPTIONS:
--http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0) --http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0)
--dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10) --dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)
--pem Generate a .pem file by concatenating the .key and .crt files together. --pem Generate a .pem file by concatenating the .key and .crt files together.
--cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--help, -h show help --help, -h show help
--version, -v print the version --version, -v print the version
``` ```
@ -234,7 +235,7 @@ func main() {
// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM. // This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
config.CADirURL = "http://192.168.99.100:4000/directory" config.CADirURL = "http://192.168.99.100:4000/directory"
config.KeyType = certcrypto.RSA2048 config.Certificate.KeyType = certcrypto.RSA2048
// A client facilitates communication with the CA server. // A client facilitates communication with the CA server.
client, err := lego.NewClient(config) client, err := lego.NewClient(config)

View file

@ -17,6 +17,7 @@ import (
"github.com/xenolf/lego/certcrypto" "github.com/xenolf/lego/certcrypto"
"github.com/xenolf/lego/challenge" "github.com/xenolf/lego/challenge"
"github.com/xenolf/lego/log" "github.com/xenolf/lego/log"
"github.com/xenolf/lego/platform/wait"
"golang.org/x/crypto/ocsp" "golang.org/x/crypto/ocsp"
"golang.org/x/net/idna" "golang.org/x/net/idna"
) )
@ -60,17 +61,24 @@ type resolver interface {
Solve(authorizations []acme.Authorization) error Solve(authorizations []acme.Authorization) error
} }
type Certifier struct { type CertifierOptions struct {
core *api.Core KeyType certcrypto.KeyType
keyType certcrypto.KeyType Timeout time.Duration
resolver resolver
} }
func NewCertifier(core *api.Core, keyType certcrypto.KeyType, resolver resolver) *Certifier { // Certifier A service to obtain/renew/revoke certificates.
type Certifier struct {
core *api.Core
resolver resolver
options CertifierOptions
}
// NewCertifier creates a Certifier.
func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier {
return &Certifier{ return &Certifier{
core: core, core: core,
keyType: keyType,
resolver: resolver, resolver: resolver,
options: options,
} }
} }
@ -191,7 +199,7 @@ func (c *Certifier) ObtainForCSR(csr x509.CertificateRequest, bundle bool) (*Res
func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) { func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool) (*Resource, error) {
if privateKey == nil { if privateKey == nil {
var err error var err error
privateKey, err = certcrypto.GeneratePrivateKey(c.keyType) privateKey, err = certcrypto.GeneratePrivateKey(c.options.KeyType)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -237,9 +245,9 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
if respOrder.Status == acme.StatusValid { if respOrder.Status == acme.StatusValid {
// if the certificate is available right away, short cut! // if the certificate is available right away, short cut!
ok, err := c.checkResponse(respOrder, certRes, bundle) ok, errR := c.checkResponse(respOrder, certRes, bundle)
if err != nil { if errR != nil {
return nil, err return nil, errR
} }
if ok { if ok {
@ -247,34 +255,26 @@ func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle
} }
} }
return c.waitForCertificate(certRes, order.Location, bundle) timeout := c.options.Timeout
} if c.options.Timeout <= 0 {
timeout = 30 * time.Second
func (c *Certifier) waitForCertificate(certRes *Resource, orderURL string, bundle bool) (*Resource, error) {
stopTimer := time.NewTimer(30 * time.Second)
defer stopTimer.Stop()
retryTick := time.NewTicker(500 * time.Millisecond)
defer retryTick.Stop()
for {
select {
case <-stopTimer.C:
return nil, errors.New("certificate polling timed out")
case <-retryTick.C:
order, err := c.core.Orders.Get(orderURL)
if err != nil {
return nil, err
}
done, err := c.checkResponse(order, certRes, bundle)
if err != nil {
return nil, err
}
if done {
return certRes, nil
}
}
} }
err = wait.For("certificate", timeout, timeout/60, func() (bool, error) {
ord, errW := c.core.Orders.Get(order.Location)
if errW != nil {
return false, errW
}
done, errW := c.checkResponse(ord, certRes, bundle)
if errW != nil {
return false, errW
}
return done, nil
})
return certRes, err
} }
// checkResponse checks to see if the certificate is ready and a link is contained in the response. // checkResponse checks to see if the certificate is ready and a link is contained in the response.

View file

@ -93,7 +93,7 @@ func Test_checkResponse(t *testing.T) {
core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key) core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key)
require.NoError(t, err) require.NoError(t, err)
certifier := NewCertifier(core, certcrypto.RSA2048, &resolverMock{}) certifier := NewCertifier(core, &resolverMock{}, CertifierOptions{KeyType: certcrypto.RSA2048})
order := acme.Order{ order := acme.Order{
Status: acme.StatusValid, Status: acme.StatusValid,
@ -141,7 +141,7 @@ func Test_checkResponse_issuerRelUp(t *testing.T) {
core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key) core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key)
require.NoError(t, err) require.NoError(t, err)
certifier := NewCertifier(core, certcrypto.RSA2048, &resolverMock{}) certifier := NewCertifier(core, &resolverMock{}, CertifierOptions{KeyType: certcrypto.RSA2048})
order := acme.Order{ order := acme.Order{
Status: acme.StatusValid, Status: acme.StatusValid,
@ -180,7 +180,7 @@ func Test_checkResponse_embeddedIssuer(t *testing.T) {
core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key) core, err := api.New(http.DefaultClient, "lego-test", apiURL+"/dir", "", key)
require.NoError(t, err) require.NoError(t, err)
certifier := NewCertifier(core, certcrypto.RSA2048, &resolverMock{}) certifier := NewCertifier(core, &resolverMock{}, CertifierOptions{KeyType: certcrypto.RSA2048})
order := acme.Order{ order := acme.Order{
Status: acme.StatusValid, Status: acme.StatusValid,

View file

@ -105,5 +105,10 @@ func CreateFlags(defaultPath string) []cli.Flag {
Name: "pem", Name: "pem",
Usage: "Generate a .pem file by concatenating the .key and .crt files together.", Usage: "Generate a .pem file by concatenating the .key and .crt files together.",
}, },
cli.IntFlag{
Name: "cert.timeout",
Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.",
Value: 30,
},
} }
} }

View file

@ -34,11 +34,13 @@ func setup(ctx *cli.Context, accountsStorage *AccountsStorage) (*Account, *lego.
} }
func newClient(ctx *cli.Context, acc registration.User) *lego.Client { func newClient(ctx *cli.Context, acc registration.User) *lego.Client {
keyType := getKeyType(ctx)
config := lego.NewConfig(acc) config := lego.NewConfig(acc)
config.CADirURL = ctx.GlobalString("server") config.CADirURL = ctx.GlobalString("server")
config.KeyType = keyType
config.Certificate = lego.CertificateConfig{
KeyType: getKeyType(ctx),
Timeout: time.Duration(ctx.GlobalInt("cert.timeout")) * time.Second,
}
config.UserAgent = fmt.Sprintf("lego-cli/%s", ctx.App.Version) config.UserAgent = fmt.Sprintf("lego-cli/%s", ctx.App.Version)
if ctx.GlobalIsSet("http-timeout") { if ctx.GlobalIsSet("http-timeout") {

View file

@ -53,9 +53,10 @@ func NewClient(config *Config) (*Client, error) {
solversManager := resolver.NewSolversManager(core) solversManager := resolver.NewSolversManager(core)
prober := resolver.NewProber(solversManager) prober := resolver.NewProber(solversManager)
certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout})
return &Client{ return &Client{
Certificate: certificate.NewCertifier(core, config.KeyType, prober), Certificate: certifier,
Challenge: solversManager, Challenge: solversManager,
Registration: registration.NewRegistrar(core, config.User), Registration: registration.NewRegistrar(core, config.User),
core: core, core: core,

View file

@ -35,22 +35,30 @@ const (
) )
type Config struct { type Config struct {
CADirURL string CADirURL string
User registration.User User registration.User
KeyType certcrypto.KeyType UserAgent string
UserAgent string HTTPClient *http.Client
HTTPClient *http.Client Certificate CertificateConfig
} }
func NewConfig(user registration.User) *Config { func NewConfig(user registration.User) *Config {
return &Config{ return &Config{
CADirURL: LEDirectoryProduction, CADirURL: LEDirectoryProduction,
User: user, User: user,
KeyType: certcrypto.RSA2048,
HTTPClient: createDefaultHTTPClient(), HTTPClient: createDefaultHTTPClient(),
Certificate: CertificateConfig{
KeyType: certcrypto.RSA2048,
Timeout: 30 * time.Second,
},
} }
} }
type CertificateConfig struct {
KeyType certcrypto.KeyType
Timeout time.Duration
}
// createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value // createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value
// and potentially a custom *x509.CertPool // and potentially a custom *x509.CertPool
// based on the caCertificatesEnvVar environment variable (see the `initCertPool` function) // based on the caCertificatesEnvVar environment variable (see the `initCertPool` function)