Skip to content

Add configurable sleep for slow CA order processing#6869

Open
denisfoulon wants to merge 4 commits intoacmesh-official:devfrom
denisfoulon:master
Open

Add configurable sleep for slow CA order processing#6869
denisfoulon wants to merge 4 commits intoacmesh-official:devfrom
denisfoulon:master

Conversation

@denisfoulon
Copy link
Copy Markdown

@denisfoulon denisfoulon commented Mar 21, 2026

This PR keeps the change minimal and shell-compatible.

It adds configurable waiting for slow ACME order processing:

  • LE_PROCESSING_MIN_SLEEP
  • LE_MIN_RETRY_SLEEP
  • LE_MAX_RETRY_AFTER

This helps with CAs returning Retry-After: 0 or taking longer to finalize certificates with many SANs.

Tested successfully with a slow CA on a certificate containing many SANs.

@denisfoulon
Copy link
Copy Markdown
Author

denisfoulon commented Mar 21, 2026
edited
Loading

Related to #5233, #6103, #6763.

This PR improves handling of slow order processing and retry timing for ACME servers returning Retry-After: 0 or taking longer to finalize certificates with many SANs.

This follow-up PR removes the unrelated shebang change from the previous attempt and targets dev only. The diff is now limited to the retry/sleep handling for slow CA order processing.

@neilpang neilpang requested a review from Copilot April 8, 2026 15:04
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to make ACME order polling more resilient to slow CA processing and problematic Retry-After behavior by introducing configurable minimum sleeps and retry thresholds.

Changes:

  • Introduces LE_MIN_RETRY_SLEEP to enforce a minimum delay when handling Retry-After (notably for 503 overload responses).
  • Introduces LE_MAX_RETRY_AFTER (currently only reflected in log messaging) intended to cap how long the client will wait before giving up.
  • Adds LE_PROCESSING_MIN_SLEEP during order “processing” polling to add additional delay between retries.

Comment thread acme.sh
Comment thread acme.sh Outdated
Comment thread acme.sh
Comment thread acme.sh Outdated
Comment thread acme.sh Outdated
Comment thread acme.sh
@denisfoulon
Copy link
Copy Markdown
Author

denisfoulon commented Apr 9, 2026

Hi everyone,

I've updated the PR to address the points raised during the review:

Robustness: Added ${_retryafter:-0} to prevent arithmetic syntax errors if the header is missing.

Consistency: Replaced hardcoded 600 thresholds with the ${LE_MAX_RETRY_AFTER} variable.

Best Practices: Switched from sleep to the internal _sleep function.

Coverage: Updated the logic to ensure the configured minimum sleep is respected even if the CA returns Retry-After: 0.

@denisfoulon @neilpang
Update acme.sh
5cdf136 
Commit message: Add LE_PROCESSING_MIN_SLEEP for slow CA processing (fixes HARICA timeout)

Add env vars for processing loop:
- LE_PROCESSING_MIN_SLEEP=15 (line ~5299)
- LE_MIN_RETRY_SLEEP=5 (overload_retry)
- LE_MAX_RETRY_AFTER=3600 (>600 limit)

Tested: HARICA 32-SAN cert success (before: 30s timeout).
@denisfoulon @neilpang
Update acme.sh
0ab9c7c 
Remove unrelated bash shebang change
@denisfoulon @neilpang
Improve robustness of retry logic and address feedback
202139e 
Handle empty Retry-After headers with default values.

Use internal _sleep function for better integration.

Align retry thresholds with configurable variables.

Ensure sleep logic executes even when Retry-After is 0.
@denisfoulon
Update acme.sh
ab971da 
fix arithmetic spacing and indentation for shfmt
@denisfoulon
Copy link
Copy Markdown
Author

denisfoulon commented Apr 15, 2026

I've applied the formatting fixes (arithmetic spacing and indentation) to comply with shfmt. Tests should be greener now! Thanks for your help on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@denisfoulon