Skip to content

Refactor authorization status polling #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Refactor authorization status polling #44

wants to merge 2 commits into from
+78 −94

Conversation

bavshin-f5
Copy link
Member

@bavshin-f5 bavshin-f5 commented Aug 27, 2025
edited
Loading

Tested with:

  • Pebble
  • Let's Encrypt stg and prod
  • ZeroSSL
  • EJBCA EE
  • EJBCA EE + RFC8555 EAB
  • Step CA

Fixes: #29
Fixes: #37
Fixes: #40

@bavshin-f5 bavshin-f5 requested a review from Copilot August 27, 2025 18:26
Copilot
Copilot AI reviewed Aug 27, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the authorization status polling mechanism to improve reliability and reduce unnecessary retry attempts. The changes replace fixed retry counts with configurable timeouts and implement exponential backoff strategies.

Key changes:

  • Replaces fixed retry counters with configurable timeout-based retry policies
  • Implements exponential backoff with maximum interval limits for better server behavior
  • Consolidates challenge handling logic by removing the separate do_challenge method

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@bavshin-f5
ACME: poll authorizations instead of challenges.
e1a9110 
Previously, we assumed that we should poll the challenge URL until
completion, because all the servers we tested correctly responded to a
POST-as-GET to the challenger URL.
We also made an initial POST-as-GET request to fetch the status and skip
the challenges in "valid" state.

RFC8555 7.5.1 specifies that we should poll the authorization resource
status instead. Additionally, the discussion around Errata ID 6317
implies that it is harmful to initiate multiple challenges, as a single
failure invalidates the whole authorization.

Given the above, we can simplify the code and proceed to poll the
authorization status after initiating the first available challenge.
@bavshin-f5
ACME: use increasing intervals with timeout when polling.
47c95ab 
Previously, we limited polling for challenge and order status to a fixed
number of tries. The updated algorithm will use increasing intervals and
give up when the total wait timeout has elapsed.
@bavshin-f5 bavshin-f5 force-pushed the authorization-polling branch from 5f14ca2 to 47c95ab Compare August 27, 2025 22:59
@bavshin-f5 bavshin-f5 requested review from xeioex and ensh63 August 28, 2025 23:17
@bavshin-f5 bavshin-f5 marked this pull request as ready for review August 28, 2025 23:17
ensh63
ensh63 approved these changes Aug 29, 2025
View reviewed changes
Copy link
Contributor

@ensh63 ensh63 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with one remark:

request retrying logic may be made more complicated then simple repetition with fixed interval and fixed overall times. It gives fast failure in case of permanent network errors but may lead to unnecessary failures if error conditions are temporary. But this may be postponed to adding fatal error checking in future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ensh63 ensh63 ensh63 approved these changes

@xeioex xeioex Awaiting requested review from xeioex

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@bavshin-f5 @ensh63