Comments (7)
I think this is a thundering herd issue. We probably need https://pkg.go.dev/golang.org/x/sync/singleflight with the domain as key.
every 6 hours, if respecting the Retry-After header
Is this zoned per queried hostname or per client?
from certmagic.
Thank you for the investigation and fix! We plan to keep an intermittent eye on ARI traffic patterns for a while, so I'll let you know if I see anything else jump out at me.
from certmagic.
Oh yeah that makes sense. If you get like 33 requests within a second, then all 33 of them might be triggering ARI via on-demand maintenance. I think certmagic needs to use https://pkg.go.dev/sync#WaitGroup to make sure it only gets fired off a single time per window.
from certmagic.
Is this zoned per queried hostname or per client?
Neither, it's per certificate. A single certificate may have multiple hostnames, but also a single client may manage multiple certificates.
from certmagic.
I'll take a look into this when I'm back at my desk
from certmagic.
The ARI suggestedWindow should be cached for the duration provided by the Retry-After header in the ARI response.
CertMagic does honor the Retry-After header, if present, by calling acme.RenewalInfo.NeedsRefresh()
.
I do agree this is likely a thundering herd, where many calls to update ARI come in before the first one finishes, since it lacks synchronization.
We can synchronize ARI fetching using the configured storage plugin. This will prevent any more than 1 instance in a cluster from fetching ARI at the same time, and after the first one does, the others will load and use its result.
Depending on the storage plugin, it's possible that this locking will be more expensive than actually fetching ARI, but it only happens once in a while, so maybe it's OK.
from certmagic.
Thanks for the report! This should fix it but without an offending client to test with I can only guess, but it makes sense to me.
I've synchronized the ARI fetching by the ARI UniqueIdentifier.
from certmagic.
Related Issues (20)
- Certificate Import HOT 16
- Add proxy option for OCSP stapling requests HOT 6
- Ability to disable logs with `no information found to solve challenge for identifier` HOT 3
- Config option for what the Caddy ask endpoint protects / DecisionFunc HOT 2
- Can DNS be used alongside ALPN? HOT 5
- How to manually issue a certificate HOT 3
- Is FallbackServerName still experimental? HOT 3
- Question: How to issue wildcard certificates rather than exact subject name in OnDemand? HOT 5
- FileStorage Delete doesn't delete non-empty directories HOT 7
- Implement ARI HOT 2
- How to disable logs? HOT 1
- Panic on ZeroSSL API Issuer when no `Storage` is set HOT 3
- Looking for cause and solution to "config returned for certificate is not nil and points to different cache" error returned in cache.go HOT 3
- Allow Certmagic to generate 'next' private key to allow safe TLSA/DANE deployment and rollover HOT 5
- Use posix file advisory locks on supported platforms HOT 1
- Do calls to storage Load need to be Lock protected? HOT 5
- Allow specific issuers for specific on-demand domains HOT 7
- Make field names consistent
- Corrupted metadata JSON files caused by bug #297 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certmagic.