x/crypto/acme: nonce error returned because of rate limit hit #18428
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
Soon
This needs action soon. (recent regressions, service outages, unusual time-sensitive situations)
Comments
|
I made letsencrypt/boulder#2450 for Let's Encrypt's side of this, but it seems like a fixable thing from |
|
CL https://golang.org/cl/34623 mentions this issue. |
|
(Just as FYI: the 429s from Let's Encrypt are a new, currently undocumented request-per-IP-per-endpoint-per-second rate limit that's set fairly low if you're parallelizing new-authz calls for a cert. This doesn't change crypto/acme's decision making much, though.) |
jmhodges
added a commit
to jmhodges/crypto
that referenced
this issue
Dec 26, 2016
This is a minimal fix to the HEAD rate limit problem discussed in golang/go#18428. We send the HEADs for fetching nonces to a URL that we know will be safer to hit than the POST-only resources where Let's Encrypt is interpreting HEAD requests as POSTs and incrementing rate limits as such. The safe URL chosen is the directory URL of the ACME server. A larger fix might use nonces gathered from previous API calls instead of making a second API call for each API call made. This also does not address the rate limit error being hidden by the nonce error as discussed in golang/go#18428. Updates golang/go#18428. Change-Id: I378c64759bd5315aa96b4daff107d2741d742349
|
/cc @bradfitz |
|
/cc @x1ddos |
titanous
added
the
NeedsFix
|
Working on it now, on all issues (collecting, better err, etc.) There could be an issue with collecting nonces from previous responses as Let's Encrypt keeps only a limited num. of issued nonces: https://github.com/letsencrypt/boulder/blob/affa0e92cd1bae31dcdfb6ae41c13a8b82e499b7/nonce/nonce.go#L18, so I'll make it a buffer with at most N collected nonces. |
|
CL https://golang.org/cl/36514 mentions this issue. |
bradfitz
added
the
Soon
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 28, 2022
Before this change, every JWS-signed request was preceded by a HEAD request to fetch a fresh nonce. The Client is now able to collect nonce values from server responses and use them for future requests. Additionally, this change also makes sure the client propagates any error encountered during a fresh nonce fetch. Fixes golang/go#18428. Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92 Reviewed-on: https://go-review.googlesource.com/36514 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
Before this change, every JWS-signed request was preceded by a HEAD request to fetch a fresh nonce. The Client is now able to collect nonce values from server responses and use them for future requests. Additionally, this change also makes sure the client propagates any error encountered during a fresh nonce fetch. Fixes golang/go#18428. Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92 Reviewed-on: https://go-review.googlesource.com/36514 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
Before this change, every JWS-signed request was preceded by a HEAD request to fetch a fresh nonce. The Client is now able to collect nonce values from server responses and use them for future requests. Additionally, this change also makes sure the client propagates any error encountered during a fresh nonce fetch. Fixes golang/go#18428. Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92 Reviewed-on: https://go-review.googlesource.com/36514 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
Before this change, every JWS-signed request was preceded by a HEAD request to fetch a fresh nonce. The Client is now able to collect nonce values from server responses and use them for future requests. Additionally, this change also makes sure the client propagates any error encountered during a fresh nonce fetch. Fixes golang/go#18428. Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92 Reviewed-on: https://go-review.googlesource.com/36514 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
desdeel2d0m
added a commit
to desdeel2d0m/crypto
that referenced
this issue
Jul 1, 2024
Before this change, every JWS-signed request was preceded by a HEAD request to fetch a fresh nonce. The Client is now able to collect nonce values from server responses and use them for future requests. Additionally, this change also makes sure the client propagates any error encountered during a fresh nonce fetch. Fixes golang/go#18428. Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92 Reviewed-on: https://go-review.googlesource.com/36514 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm consistently getting back
acme: nonce not foundon a cert of mine, becausefetchNonceis doing a fewHEADs tohttps://acme-v01.api.letsencrypt.org/acme/new-authzand getting back a 429 rate limit hit back.While the real problem is the rate limit being reached, it was hidden by the
nonce not founderror that can only be detected by callingerr.Error()on it.Let's Encrypt could be kinder to us, but it would be beneficial for x/crypto/acme, if it needs a nonce, to hit an endpoint that is guaranteed to be relatively safe from rate-limiting. Perhaps, the
/directorypath?It'd also be cool for crypto/acme to be storing nonces it's gathered from previous normal API calls and using those, instead of calling out again to fetchNonce for every new API call.
It'd also be nice for crypto/acme to return a specific error when it hits one of the various rate limits.
The text was updated successfully, but these errors were encountered: