Skip to content

Commit

Permalink
retry if nonce is invalid
Browse files Browse the repository at this point in the history 
fix #627
  • Loading branch information
neil committed Feb 17, 2017
1 parent 52f8b78 commit 0bc745f
Showing 1 changed file with 56 additions and 43 deletions.
99 changes: 56 additions & 43 deletions acme.sh
View file
Expand Up @@ -1530,62 +1530,75 @@ _send_signed_request() {
payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
_debug3 payload64 "$payload64"

if [ -z "$_CACHED_NONCE" ]; then
_debug2 "Get nonce."
nonceurl="$API/directory"
_headers="$(_get "$nonceurl" "onlyheader")"
MAX_REQUEST_RETRY_TIMES=5

This comment has been minimized.

Sign in to view

Copy link
@ppaeps

ppaeps Feb 17, 2017

Perhaps make this configurable?

This comment has been minimized.

Sign in to view

Copy link
@Neilpang

Neilpang Feb 17, 2017

Member

It's too trivials. If 5 times are all failed, I think the CA server has some big trouble. we should stop trying.

This comment has been minimized.

Sign in to view

Copy link
@ppaeps

ppaeps Feb 17, 2017

Fair enough. Sounds reasonable.
_request_retry_times=0
while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
_debug3 _request_retry_times "$_request_retry_times"
if [ -z "$_CACHED_NONCE" ]; then
_debug2 "Get nonce."
nonceurl="$API/directory"
_headers="$(_get "$nonceurl" "onlyheader")"

if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce."
return 1
fi
if [ "$?" != "0" ]; then
_err "Can not connect to $nonceurl to get nonce."
return 1
fi

_debug2 _headers "$_headers"
_debug2 _headers "$_headers"

_CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi
nonce="$_CACHED_NONCE"
_debug2 nonce "$nonce"
_CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
_debug2 _CACHED_NONCE "$_CACHED_NONCE"
else
_debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
fi
nonce="$_CACHED_NONCE"
_debug2 nonce "$nonce"

protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
_debug3 protected "$protected"
protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
_debug3 protected "$protected"

protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
_debug3 protected64 "$protected64"
protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
_debug3 protected64 "$protected64"

if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
_err "Sign request failed."
return 1
fi
_debug3 _sig_t "$_sig_t"
if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
_err "Sign request failed."
return 1
fi
_debug3 _sig_t "$_sig_t"

sig="$(printf "%s" "$_sig_t" | _url_replace)"
_debug3 sig "$sig"
sig="$(printf "%s" "$_sig_t" | _url_replace)"
_debug3 sig "$sig"

body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
_debug3 body "$body"
body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
_debug3 body "$body"

response="$(_post "$body" "$url" "$needbase64")"
_CACHED_NONCE=""
if [ "$?" != "0" ]; then
_err "Can not post to $url"
return 1
fi
_debug2 original "$response"
response="$(_post "$body" "$url" "$needbase64")"
_CACHED_NONCE=""

if [ "$?" != "0" ]; then
_err "Can not post to $url"
return 1
fi
_debug2 original "$response"
response="$(echo "$response" | _normalizeJson)"

response="$(echo "$response" | _normalizeJson)"
responseHeaders="$(< "$HTTP_HEADER")"

responseHeaders="$(cat "$HTTP_HEADER")"
_debug2 responseHeaders "$responseHeaders"
_debug2 response "$response"
code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
_debug code "$code"

_debug2 responseHeaders "$responseHeaders"
_debug2 response "$response"
code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
_debug code "$code"
_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"

_CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
if _contains "$response" "JWS has invalid anti-replay nonce"; then
_info "It seems the CA server is busy now, let's wait and retry."
_request_retry_times=$(_math "$_request_retry_times" + 1)
_sleep 5

This comment has been minimized.

Sign in to view

Copy link
@ppaeps

ppaeps Feb 17, 2017

Perhaps make this configurable? Possibly @cpu can comment on this.

This comment has been minimized.

Sign in to view

Copy link
@Neilpang

Neilpang Feb 17, 2017

Member

@ppaeps you mean the error message configurable ?

This comment has been minimized.

Sign in to view

Copy link
@ppaeps

ppaeps Feb 17, 2017

I meant the timeout: you're hardcoding 5 retries at 5 second intervals. If servers do get very busy, perhaps this should be configurable or possibly exponentially back off. As you pointed out in your other comment though: if the servers are in that much trouble, we should just stop retrying.
continue
fi
break;
done

}

Expand Down

0 comments on commit 0bc745f

Please sign in to comment.