Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Structure of ACME Tidy #20494

Merged
merged 18 commits into from
May 5, 2023
Merged

Structure of ACME Tidy #20494

merged 18 commits into from
May 5, 2023

Conversation

kitography
Copy link
Contributor

@kitography kitography commented May 3, 2023
edited
Loading

  • Logic to Tidy Accounts (including Thumbprints) with No Orders, after configurable safety buffer time from creation
    -- Track Creation Date of Account
    -- Configure Account Safety Buffer on Tidy (Read, Write)
    -- Configure Account Safety Buffer on Auto-Tidy
    -- Revoke after safety-period (Date stored to ensure this)
    -- Delete safety-period after revocation
  • Tidy Orders (including authorizations) after Expiry , or when the certificate they produced expired (and certificate safety buffer)
  • Count and report number of accounts to evaluate/revoked/deleted and orders deleted
  • Lock on Tidy (and Account Creation)

More Testing to Come

@kitography kitography self-assigned this May 3, 2023
@kitography kitography mentioned this pull request May 4, 2023
Closed
@kitography kitography added this to the 1.14 milestone May 4, 2023
@kitography kitography marked this pull request as ready for review May 5, 2023 03:00
@kitography kitography requested a review from a team May 5, 2023 03:00
cipherboy
cipherboy reviewed May 5, 2023
View reviewed changes
builtin/logical/pki/path_tidy.go Outdated
TidyAcme: false,
SafetyBuffer: 72 * time.Hour,
IssuerSafetyBuffer: 365 * 24 * time.Hour,
AcmeAccountSafetyBuffer: 48 * time.Hour,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that certbot doesn't gracefully handle account removal, I'd maybe make this 30 days perhaps by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha. I've done that. Did you want this to apply to time after order/cert expiry as well, if certbot doesn't handle that well?

cipherboy
cipherboy reviewed May 5, 2023
View reviewed changes
builtin/logical/pki/path_tidy.go Outdated
}

for _, thumbprint := range list {
b.tidyAcmeAccountByThumbprint(b.acmeState, acmeCtx, thumbprint, config.SafetyBuffer, config.AcmeAccountSafetyBuffer)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this returns an error, should it be handled?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that an error on any particular account shouldn't stop the tidy, but I probably should log it, so thank you. Logging added.

cipherboy
cipherboy approved these changes May 5, 2023
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, looking good @kitography!

stevendpclark
stevendpclark approved these changes May 5, 2023
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kitography kitography enabled auto-merge (squash) May 5, 2023 15:02
@kitography kitography merged commit 9480573 into main May 5, 2023
@kitography kitography deleted the VAULT-13351-acme-add-purge-expired-orders-and-challenges-to-tidy-auto-tidy branch May 5, 2023 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy approved these changes

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees

@kitography kitography

Labels
pr/no-changelog
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.
3 participants
@kitography @cipherboy @stevendpclark