Open Wicpar opened 1 year ago
Interesting. I'm going on vacation tomorrow until the 23rd, so review may have to wait until then.
Could you outline the goals and targeted usecases in a few lines here, especially with respect to: -Coexistence between acme and non-acme certs is the primary goal right? Adding/removing them on-the-fly without creating a new rustls config etc is important, right? -Adding and removing domains handled by ACME on-the-fly is a goal as well? -Is the limit of the number of domains per cert a concern? There's a trade-off here between having many certs and having small certs.
I suspect I would like to merge features/refactors one-by-one, but I should review what you submitted a bit before commenting on the granularity in more detail.
Coexistence is supported: resolver.create_pem_handle(pem, false)
To update handle.use_pem(pem, false)
Domains are automatically inferred from the pem.
Rate limits for new certs per domain are not taken in account because new certificates are up to the user.
However the 5 errors per hour and 300 orders per 3 hours are applied in the Updater
, but not when done manually. The updater gives a warning if dropped.
If we put the rate limit pools in account and in a global context it should be possible to handle globally.
To create a new cert with any amount of domains:
resolver.create_domain_handle(domains, true)
and it will automatically be ordered and updated according to order rate limit.
The user has full control over the number of certificates and the number of domains.
For now the system errors if there is a domain overlap between certificates, but it could be supported with minor changes.
For rate limiting reasons orders are done sequentially and stops the creation/updates if an error occurs, completed updates are still applied in case of errors.
Wildcard certificates are not yet supported.
now all that is left is testing in real world conditions, integrating it with the rest of the crate, renaming the structures to better names and documenting the functionnalities.
I just tested it in production, however there is this error i'm getting one one of the domains:
An error occurred during certificate renewal: Acme(HttpRequest(Http(ConnectError(TlsConnect(Custom { kind: UnexpectedEof, error: "tls handshake eof" })))))
any idea ?
EDIT: I was sending the identifiers instead of the authorizations like a dummy...
I can confirm it works like a charm in production.
Tell me how you would like to proceed.
I'm back home now. I'll try to find time to look a this in detail this week.
Ongoing fix for #47