Retry without replaces-field when appropriate#50
Conversation
mholt
left a comment
mholt
left a comment
There was a problem hiding this comment.
I like this approach much better. Does it work for you?
|
I did not test it. To unblock my situation, I disabled ARI for now (so I have a valid certificate and cannot reproduce the issue). Ideally I can add a unittest to this PR. I saw that https://github.com/letsencrypt/pebble is made for this. |
oliverpool
force-pushed
the
retry-without-replace
branch
from
a1aa4a4 to
1f2885e
Compare
|
I added a test. To test locally, clone my fork and use the |
oliverpool
force-pushed
the
retry-without-replace
branch
from
1f2885e to
a048b85
Compare
oliverpool
force-pushed
the
retry-without-replace
branch
from
a048b85 to
ae28ddd
Compare
|
Thanks!! Sorry for the delay on this, life's been crazy. Will circle back soon |
mholt
left a comment
mholt
left a comment
There was a problem hiding this comment.
Thanks for this, @oliverpool -- sorry for my absurdly long response time.
Let's give it a try!
|
No need to apologize, hope life is a bit less crazy now. Thank you for all the efforts you invest in the https/acme/go ecosystem! |
2 participants
Fixes caddyserver/certmagic#361
This is more of a workaround, but apparently the spec expects the server to reject orders when a certificate has already been replaced. So the client should retry: ietf-wg-acme/acme-ari#56 (comment) (via caddyserver/certmagic#364 (comment))