search

kristapsdz / acme-client-portable

portable version of acme-client, a secure ACME client
https://kristaps.bsd.lv/acme-client
ISC License
101 stars 21 forks source link

Wait until "status" changes to "valid" #18

Closed fraenki closed 7 years ago

fraenki commented 7 years ago

When using -t dns-01 to use a different validation method, acme-client instantly exits with an error, if the validation fails on first try:

acme-client: https://acme-staging.api.letsencrypt.org/acme/challenge/foobar/123: bad response
acme-client: transfer buffer: [{ "type": "dns-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: NXDOMAIN looking up TXT

-OR-

acme-client: https://acme-staging.api.letsencrypt.org/acme/challenge/foobar/123: bad response
acme-client: transfer buffer: [{ "type": "dns-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Correct value not found for DNS challenge",

Some validation methods like DNS-01 may take a few seconds or minutes before validation can succeed (depending on the DNS provider used).

Please add an option to allow acme-client to retry for a specified amount of time. Maybe something like -R 30 (retry 30 times) and -w 5 (wait 5 seconds between retries).

(As an alternative, maybe print the challenge URL earlier in the process, so that the external validation script can check the validation status before allowing acme-client to continue.)

kristapsdz commented 7 years ago

Your update script should be fixed. By the time it responds to acme-client, it should be ready to serve the world. Change it to verify the DNS record itself before reporting to acme-client that it's done.