LE rate limit: feature request, wait until time communicated in rate limit message before trying again.

icing / mod_md

Let's Encrypt (ACME) in Apache httpd

https://icing.github.io/mod_md/

Apache License 2.0

333 stars 28 forks source link

LE rate limit: feature request, wait until time communicated in rate limit message before trying again. #318

Open svde opened 11 months ago

svde commented 11 months ago

Feature request: for domains that have too many certificates already issued, wait for the time that LE communicates back until trying to renew again.

Error[Missing parameter for the specified command line option]: urn:ietf:params:acme:error:rateLimited Error creating new order :: too many certificates already issued for "xxxxx.com". Retry after 2023-08-04T12:00:00Z: see https://letsencrypt.org/docs/rate-limits/ Next run in ~40 minutes

it's 10:39Z now, trying to issue the certificate before 12:00Z won't work,

Sp1l commented 11 months ago

Makes sense. There should even be a "Retry-After" header accompanying that message (see https://www.rfc-editor.org/rfc/rfc8555#section-6.6). Checked my ACME client implementation in Python, I'm actually reading the retry-after (and the blocking domain) from the message. Not sure if the Retry-After header is missing from letsencrypt's response.

if err_type == "rateLimited":
    detail = re.search(
        r'issued for "([^ ]+)"\. Retry after ([0-9TZ:-]+): ',
        error["detail"]
    )
    domain = detail.group(1)
    retry = detail.group(2)

icing commented 11 months ago

I am willing to take in a PR that achieves this reliably.