Allow delay before validating challenge

Question

Allow delay before validating challenge

h3rmanj opened this issue 2 years ago · 3 comments

Is your feature request related to a problem? Please describe.
I am trying to deploy my application to OpenShift. I've set up routes correctly, but i keep getting this error;

[13:41:13 ERR] Failed to validate ownership of domainName 'xxx'. Reason: urn:ietf:params:acme:error:unauthorized: x.x.x.x: Invalid response from http://xxx/.well-known/acme-challenge/xxx: 503, Code = Forbidden

However, when I try the link myself I get a success status response. I think the library is calling ValidateChallengeAsync too quickly. While my app is ready to receive HTTP requests, OpenShift hasn't started to redirect traffic to the pod.

Describe the solution you'd like
I'd like to be able to specify an option to delay the call of ValidateChallengeAsync in https://github.com/natemcmaster/LettuceEncrypt/blob/main/src/LettuceEncrypt/Internal/Http01DomainValidator.cs#L56 .

Something like

{
  "LettuceEncrypt": {
    "ValidationDelayMs": 5000
  }
}

And in the validator it would use the variable

_logger.LogTrace("Waiting for server to start accepting HTTP requests");
await _appStarted.Task;

if (_config.ValidationDelayMs > 0) {
  _logger.LogTrace("Waiting for user-specified time before validating");
  await Task.Delay(_config.ValidationDelayMs);
}

_logger.LogTrace("Requesting server to validate HTTP challenge");
await _client.ValidateChallengeAsync(httpChallenge);

Additional context
I have manually tested by adding a await Task.Delay() and injected the nupkgs in my pipeline, and it works. I'll gladly make a PR, but I need some guidance of how to access the LettuceEncryptOptions from Http01DomainValidator.cs (or the TlsAlpn01 validator), as it's manually created by AcmeCertificateFactory, and not registered in DI.

Answer 1 · 2022-06-21T08:10:49.000Z

While delaying x amount could work in my scenario, it is a workaround and probably not an optimal solution to add to the library. I think a better solution would be to have a shared validation challenge store, which instances of my application could read and write to, no matter which one requested the domain validation.

After looking through the internals of this library, I think IHttpChallengeResponseStore might be a good place to hook into. It's internal right now, but making it public (and async) would allow consumers to implement their custom store, and also let it be implemented in the Azure integration.

Answer 2 · 2023-06-22T02:01:29.000Z

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

Answer 3 · 2023-07-06T02:09:49.000Z

Closing due to inactivity.
If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.