Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Sleep until certificate is due instead of looping and rechecking

pull/79/head
Jan Christian Grünhage 2 years ago
parent
23e8a31bed
commit
e79441b431
3 changed files with 19 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      acmed/src/certificate.rs
  2. 1
      acmed/src/main.rs
  3. 16
      acmed/src/main_event_loop.rs

25
acmed/src/certificate.rs
View File

@ -70,14 +70,14 @@ impl Certificate {
Err(format!("{identifier}: identifier not found").into()) Err(format!("{identifier}: identifier not found").into())
} }
fn is_expiring(&self, cert: &X509Certificate) -> Result<bool, Error> {
fn renew_in(&self, cert: &X509Certificate) -> Result<Duration, Error> {
let expires_in = cert.expires_in()?; let expires_in = cert.expires_in()?;
self.debug(&format!( self.debug(&format!(
"certificate expires in {} days ({} days delay)", "certificate expires in {} days ({} days delay)",
expires_in.as_secs() / 86400, expires_in.as_secs() / 86400,
self.renew_delay.as_secs() / 86400, self.renew_delay.as_secs() / 86400,
)); ));
Ok(expires_in <= self.renew_delay)
Ok(expires_in.saturating_sub(self.renew_delay))
} }
fn has_missing_identifiers(&self, cert: &X509Certificate) -> bool { fn has_missing_identifiers(&self, cert: &X509Certificate) -> bool {
@ -110,33 +110,22 @@ impl Certificate {
.join(",") .join(",")
} }
pub async fn should_renew(&self) -> Result<bool, Error> {
pub async fn schedule_renewal(&self) -> Result<Duration, Error> {
self.debug(&format!( self.debug(&format!(
"checking for renewal (identifiers: {})", "checking for renewal (identifiers: {})",
self.identifier_list() self.identifier_list()
)); ));
if !certificate_files_exists(&self.file_manager) { if !certificate_files_exists(&self.file_manager) {
self.debug("certificate does not exist: requesting one"); self.debug("certificate does not exist: requesting one");
return Ok(true);
return Ok(Duration::ZERO);
} }
let cert = get_certificate(&self.file_manager).await?; let cert = get_certificate(&self.file_manager).await?;
let renew_ident = self.has_missing_identifiers(&cert);
if renew_ident {
if self.has_missing_identifiers(&cert) {
self.debug("the current certificate doesn't include all the required identifiers"); self.debug("the current certificate doesn't include all the required identifiers");
return Ok(Duration::ZERO);
} }
let renew_exp = self.is_expiring(&cert)?;
if renew_exp {
self.debug("the certificate is expiring");
}
let renew = renew_ident || renew_exp;
if renew {
self.debug("the certificate will be renewed now");
} else {
self.debug("the certificate will not be renewed now");
}
Ok(renew)
Ok(self.renew_in(&cert)?)
} }
pub async fn call_challenge_hooks( pub async fn call_challenge_hooks(

1
acmed/src/main.rs
View File

@ -33,7 +33,6 @@ pub const DEFAULT_CERT_DIR: &str = env!("ACMED_DEFAULT_CERT_DIR");
pub const DEFAULT_CERT_FORMAT: &str = env!("ACMED_DEFAULT_CERT_FORMAT"); pub const DEFAULT_CERT_FORMAT: &str = env!("ACMED_DEFAULT_CERT_FORMAT");
pub const DEFAULT_CONFIG_FILE: &str = env!("ACMED_DEFAULT_CONFIG_FILE"); pub const DEFAULT_CONFIG_FILE: &str = env!("ACMED_DEFAULT_CONFIG_FILE");
pub const DEFAULT_PID_FILE: &str = env!("ACMED_DEFAULT_PID_FILE"); pub const DEFAULT_PID_FILE: &str = env!("ACMED_DEFAULT_PID_FILE");
pub const DEFAULT_SLEEP_TIME: u64 = 3600;
pub const DEFAULT_POOL_TIME: u64 = 5000; pub const DEFAULT_POOL_TIME: u64 = 5000;
pub const DEFAULT_CSR_DIGEST: HashFunction = HashFunction::Sha256; pub const DEFAULT_CSR_DIGEST: HashFunction = HashFunction::Sha256;
pub const DEFAULT_CERT_KEY_TYPE: KeyType = KeyType::Rsa2048; pub const DEFAULT_CERT_KEY_TYPE: KeyType = KeyType::Rsa2048;

16
acmed/src/main_event_loop.rs
View File

@ -179,15 +179,23 @@ async fn renew_certificate(
account_s: AccountSync, account_s: AccountSync,
endpoint_s: EndpointSync, endpoint_s: EndpointSync,
) -> (&mut Certificate, AccountSync, EndpointSync) { ) -> (&mut Certificate, AccountSync, EndpointSync) {
let backoff = [60, 10 * 60, 100 * 60, 24 * 60 * 60];
let mut scheduling_retries = 0;
loop { loop {
match certificate.should_renew().await {
Ok(true) => break,
Ok(false) => {}
match certificate.schedule_renewal().await {
Ok(duration) => {
sleep(duration).await;
break;
}
Err(e) => { Err(e) => {
certificate.warn(&e.message); certificate.warn(&e.message);
sleep(Duration::from_secs(
backoff[scheduling_retries.min(backoff.len() - 1)],
))
.await;
scheduling_retries += 1;
} }
} }
sleep(Duration::from_secs(crate::DEFAULT_SLEEP_TIME)).await;
} }
let (status, is_success) = let (status, is_success) =
match request_certificate(certificate, account_s.clone(), endpoint_s.clone()).await { match request_certificate(certificate, account_s.clone(), endpoint_s.clone()).await {

Write Preview
Loading…
Cancel
Save