git.openwrt.org Git - feed/packages.git/commit

author	Leonardo Mörlein <git@irrelefant.net>
	Fri, 26 Mar 2021 22:04:32 +0000 (23:04 +0100)
committer	Rosen Penev <rosenp@gmail.com>
	Mon, 5 Apr 2021 05:16:02 +0000 (22:16 -0700)
commit	24ddf2207375b8569f49e3e84468a3389e748029
tree	6a595f9d8af21faa063f462c0abd66c3d70c0154	tree \| snapshot
parent	4f7aad0e52386d12749530b98c8e947618c3d3eb	commit \| diff

uacme: add retries

Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.

The waiting pause is:
- 2 minutes for staging certificates
- 24 minutes for production certificates

The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging: 60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.

This means that we are within rate limits by a factor of two.

By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.

This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.

Signed-off-by: Leonardo Mörlein <git@irrelefant.net>