claytondaley
commented
5 years ago Come to think of it, even better if you could guard against the issue. Before starting the Let's Encrypt process:
- Make sure the DNS name resolves to an A record
- (configurable) Make a request against that domain to ensure it's reaching the right machine (the instance making the request). This would guard against old A records that are no longer valid.
The second check needs to be optional as it's theoretically possible that the container won't be able to initiate outbound connections.
echohtp
Your image is perfect for Amazon's Elastic Container Service (ECS) because it requires no local bindings/files. Unfortunately, it's hard to provision a static IP on ECS unless you use (and pay for) a load balancer.
I don't need/want to pay for a load balancer so I must manually update my DNS (+time to propagate) each time I deploy a new container. As a result, I'm running afoul of Let's Encrypt's rate limits, specifically a Failed Validation limit of 5 failures per account, per hostname, per hour.
Given that hard cap, I'd like to suggest adjusting the retry interval to something like minute 0, 1, 5, 15, (and every 15 minutes after that i.e. 30, 45, 60, 75). In theory, min 45 (and probably 60) will rate limit, but this provides a simple rule-of-thumb that is otherwise rate-friendly.EDIT: Per the discussion in #23, the long-term goal is to simulate the acme check:
PR #23 (merged) is a first step in this direction, providing a simple check that a server (but not necessarily this one) responds with 200 to a call to the domain name. This issue has been left open to track potential improvements.