feat: attempt to check ARI unless explicitly disabled #2298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
beautifulentropy
changed the title
beautifulentropy
changed the title
|
I don't merge the PR because I have doubts about the impact of this PR: I don't see any problem with doing this with LE, but I wonder about the ACME servers. 🤔 I'm torn between having a better default value, but that can introduce a change that may upset a large number of users, or just keeping the current option. |
Oh, interesting! I figured that this was reasonably safe given that use of ARI is actually gated on whether or not the CA includes a |
|
If we change these to |
|
something like that: var replacesCertID string
var ariRenewalTime *time.Time
if ctx.Bool(flgARIEnable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil {
now := time.Now().UTC()
// Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now))
}
}
replacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
}
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
return nil
}
...
if replacesCertID != "" {
request.ReplacesCertID = replacesCertID
} |
ldez
force-pushed
the
use-ari-by-default
branch
from
434d607 to
ede2825
Compare
ldez
changed the title
usarise
added a commit
to usarise/lego
that referenced
this pull request
Nov 12, 2024
* volcengine: set API information within the default configuration (go-acme#2308) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * limacity: fix error message (go-acme#2310) * Add DNS provider for Core-Networks (go-acme#2101) * chore: update readme generator (go-acme#2311) * chore: fix readme generator (go-acme#2312) * chore: embed templates for internal commands (go-acme#2314) * chore: improve internal release command (go-acme#2315) * fix: parse printf verbs in log line output (go-acme#2317) * Add DNS provider for Regfish (go-acme#2320) * chore: update dependencies (go-acme#2321) * selectelv2: fix non-ASCII domain (go-acme#2322) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * brandit: provider deprecation (go-acme#2116) * cloudxns: provider deprecation (go-acme#2324) * chore: update issue templates * docs: use homogenous examples (go-acme#2328) * regru: update authentication method (go-acme#2325) * rfc2136: add support for tsig-keygen generated file (go-acme#2330) Co-authored-by: Dominik Menke <git@dmke.org> * Add DNS provider for Technitium (go-acme#2332) * feat: skip the TLS verification of the ACME server (go-acme#2335) * docs: add documentation for env var only options (go-acme#2337) * docs: update least privilege instructions for Cloudflare (go-acme#2339) * feat: attempt to check ARI unless explicitly disabled (go-acme#2298) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> * chore: domain merge simplification (go-acme#2340) * chore: update linter (go-acme#2341) * Prepare release v4.20.0 * Detach v4.20.0 * Prepare release v4.20.1 * Detach v4.20.1 * Prepare release v4.20.2 * Detach v4.20.2 * fix: HTTP server IPv6 matching (go-acme#2345) * docs: improve changelog style (go-acme#2346) * docs: fix typos --------- Co-authored-by: 刘瑞斌 <bin@fit2cloud.com> Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> Co-authored-by: Dominik Menke <dom@digineo.de> Co-authored-by: Frederic Hemberger <fhemberger@users.noreply.github.com> Co-authored-by: Artem Chirkov <45077592+Archirk@users.noreply.github.com> Co-authored-by: Maksim Kamanin <79706809+tcaty@users.noreply.github.com> Co-authored-by: Dominik Menke <git@dmke.org> Co-authored-by: Josh McKinney <joshka@users.noreply.github.com> Co-authored-by: Samantha Frank <hello@entropy.cat>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With draft-ietf-acme-ari now in IETF Working Group Last Call—the final step before becoming an RFC—it is reasonable to enable ARI checks by default.