Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timeout in verifyChallenge #31

Closed
moizhusnain opened this issue Apr 30, 2020 · 3 comments
Closed

Timeout in verifyChallenge #31

moizhusnain opened this issue Apr 30, 2020 · 3 comments

Comments

@moizhusnain
Copy link

Hey guys, first of all thanks a lot for building such a useful library and for managing it so actively. I am using this package for a project where I have built an integration to generate SSL certificates (it is a kind of hosting service).

I have observed an issue that verifyChallenge don't really timeout in cases where DNS challenge has not been fulfilled.

So for example, I create an order for example.com and decided to go for DNS challenge but submitted a request to verifyChallange without actually creating a TXT record. In this case, verifyChallange function waits for a lot - like several minutes before generating an error/response.
@moizhusnain
Copy link
Author

I have done some digging in the code and looks like this is because you guys are using default DNS package of node in verify.js/verifyDnsChallenge and as identified here and here, it is an inherit issue of this package.

I believe the dns-socket package can solve this issue.

@nmorsman
Copy link
Contributor

Hi @moizhusnain,

The behaviour you are experiencing is most likely not due to DNS timeouts, as they should only occur during network disruptions etc.

By default acme-client will retry challenge verification if it cannot find a valid response up to 5 times with exponential backoff. This can for example be observed by running with debugging:

$ DEBUG=acme-client node test.js
...
  acme-client Waiting for ACME challenge verification { attempts: 5, min: 5000, max: 30000 } +3s
  acme-client Sending HTTP query to example.com, suffix: /.well-known/acme-challenge/example, port: 80 +0ms
  acme-client Promise rejected attempt #1, retrying in 5000ms: socket hang up +0ms
  acme-client Sending HTTP query to example.com, suffix: /.well-known/acme-challenge/example, port: 80 +5s
  acme-client Promise rejected attempt #2, retrying in 10000ms: socket hang up +5s
  acme-client Sending HTTP query to example.com, suffix: /.well-known/acme-challenge/example, port: 80 +10s
  acme-client Promise rejected attempt #3, retrying in 20000ms: socket hang up +10s
  acme-client Sending HTTP query to example.com, suffix: /.well-known/acme-challenge/example, port: 80 +20s
  acme-client Promise rejected attempt #4, retrying in 30000ms: socket hang up +20s
  acme-client Sending HTTP query to example.com, suffix: /.well-known/acme-challenge/example, port: 80 +30s
  acme-client [auto] [example.com] Trigger challengeRemoveFn() +1m
...

So if a valid challenge response is never produced, it will finally throw an error after 65 seconds with the default configuration. The reason for this is to counter possible delays (DNS propagation time, etc.) when verifying challenge responses.

The default backoff configuration can be overridden when creating a client instance.

Hope that helps clear things up!

@moizhusnain
Copy link
Author

Thanks @nmorsman
I got it. Gonna try it out. You are guys are doing pretty great job, can I help in managing this package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moizhusnain @nmorsman