Skip to content

Refactor authorization status polling #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 30, 2025
Merged

Refactor authorization status polling #44

merged 2 commits into from
Aug 30, 2025
+79 −94

Conversation

bavshin-f5
Copy link
Member

@bavshin-f5 bavshin-f5 commented Aug 27, 2025
edited
Loading

Tested with:

  • Pebble
  • Let's Encrypt stg and prod
  • ZeroSSL
  • EJBCA EE
  • EJBCA EE + RFC8555 EAB
  • Step CA

Fixes: #29
Fixes: #37
Fixes: #40

@bavshin-f5 bavshin-f5 requested a review from Copilot August 27, 2025 18:26
Copilot
Copilot AI reviewed Aug 27, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the authorization status polling mechanism to improve reliability and reduce unnecessary retry attempts. The changes replace fixed retry counts with configurable timeouts and implement exponential backoff strategies.

Key changes:

  • Replaces fixed retry counters with configurable timeout-based retry policies
  • Implements exponential backoff with maximum interval limits for better server behavior
  • Consolidates challenge handling logic by removing the separate do_challenge method

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@bavshin-f5 bavshin-f5 force-pushed the authorization-polling branch from 5f14ca2 to 47c95ab Compare August 27, 2025 22:59
@bavshin-f5 bavshin-f5 requested review from xeioex and ensh63 August 28, 2025 23:17
@bavshin-f5 bavshin-f5 marked this pull request as ready for review August 28, 2025 23:17
ensh63
ensh63 approved these changes Aug 29, 2025
View reviewed changes
Copy link
Contributor

@ensh63 ensh63 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with one remark:

request retrying logic may be made more complicated then simple repetition with fixed interval and fixed overall times. It gives fast failure in case of permanent network errors but may lead to unnecessary failures if error conditions are temporary. But this may be postponed to adding fatal error checking in future.

bmos1
bmos1 approved these changes Aug 29, 2025
View reviewed changes
Copy link

@bmos1 bmos1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks almost correct to me, but I'm not sure if ChallengeStatus::Valid can be the result of a request to challenge URL. I understood that only the polling to authz URL can result in a ChallengeStatus::Valid.

xeioex
xeioex approved these changes Aug 30, 2025
View reviewed changes
Copy link
Contributor

@xeioex xeioex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise looks good.

@bavshin-f5
ACME: poll authorizations instead of challenges.
207dc52 
Previously, we assumed that we should poll the challenge URL until
completion, because all the servers we tested correctly responded to a
POST-as-GET to the challenger URL.
We also made an initial POST-as-GET request to fetch the status and skip
the challenges in "valid" state.

RFC8555 7.5.1 specifies that we should poll the authorization resource
status instead. Additionally, the discussion around Errata ID 6317
implies that it is harmful to initiate multiple challenges, as a single
failure invalidates the whole authorization.

Given the above, we can simplify the code and proceed to poll the
authorization status after initiating the first available challenge.
@bavshin-f5
ACME: use increasing intervals with timeout when polling.
5e648e4 
Previously, we limited polling for challenge and order status to a fixed
number of tries. The updated algorithm will use increasing intervals and
give up when the total wait timeout has elapsed.
@bavshin-f5 bavshin-f5 force-pushed the authorization-polling branch from 47c95ab to 5e648e4 Compare August 30, 2025 02:17
@bavshin-f5
Copy link
Member Author

Looks almost correct to me, but I'm not sure if ChallengeStatus::Valid can be the result of a request to challenge URL. I understood that only the polling to authz URL can result in a ChallengeStatus::Valid.

I confirmed that EJBCA performs validation while processing the POST to challenge URL, and delays the HTTP response until it is able to resolve the status to "valid" or "invalid". That is a fully spec-compliant behavior.

The other cases are pre-authorization and reuse of a previously validated authorization, but these are less likely to happen because we already filter valid authorizations a few lines above.

@bavshin-f5 bavshin-f5 merged commit ef4f634 into nginx:main Aug 30, 2025
14 checks passed
@bavshin-f5 bavshin-f5 deleted the authorization-polling branch August 30, 2025 03:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@xeioex xeioex xeioex approved these changes

@ensh63 ensh63 ensh63 approved these changes

+1 more reviewer

@bmos1 bmos1 bmos1 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@bavshin-f5 @xeioex @bmos1 @ensh63