Page MenuHomePhabricator
Create Task
Maniphest T207927

Take into account LE rate limits on sensitive operations
Closed, ResolvedPublic
Actions

Description

As discussed yesterday in -traffic, we must take into account certain rate limits imposed by LE to avoid reaching them ourselves and kind of DoS-ing the certcentral service.

  • 5 failed validations per account, per hostname, per hour --> certcentral should be able to delay the retries issuing a certificate which validations are failing systematically
  • 5 duplicates per week (exact same CN/SAN list, account/crypto doesn't matter). --> certcentral should be able to delay the retries iff the certificate has been issued by LE but for some reason certcentral fails to persist on disk (host runs out of disk, issues on certificate serialization...)

Details

ProjectBranchLines +/-Subject
operations/software/certcentraldebian+7 -0debian: Add release 0.4 to changelog
operations/software/certcentraldebian+1 -1Release 0.4
operations/software/certcentraldebian+56 -37certcentral: Avoid fast retry on local errors after cert is issued
operations/software/certcentraldebian+118 -10certcentral: Implement slow retries on challenge rejection by ACME dir.
operations/software/certcentralmaster+1 -1Release 0.4
operations/software/certcentralmaster+56 -37certcentral: Avoid fast retry on local errors after cert is issued
operations/software/certcentralmaster+118 -10certcentral: Implement slow retries on challenge rejection by ACME dir.
Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez created this task.Oct 25 2018, 7:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2018, 7:50 AM
Vgutierrez claimed this task.Oct 25 2018, 8:09 AM
Vgutierrez triaged this task as High priority.
gerritbot added a subscriber: gerritbot.Oct 25 2018, 9:34 AM

Change 469590 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/469590

gerritbot added a project: Patch-For-Review.Oct 25 2018, 9:34 AM
Vgutierrez mentioned this in rOSCC9bc44c9facc4: certcentral: Implement slow retries on challenge rejection by ACME dir..Oct 25 2018, 9:36 AM
gerritbot added a comment.Oct 25 2018, 10:25 AM

Change 469590 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/469590

Vgutierrez updated the task description. (Show Details)Oct 25 2018, 10:26 AM
gerritbot added a comment.Oct 25 2018, 2:49 PM

Change 469624 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/469624

Vgutierrez mentioned this in rOSCCa37f20e65c2e: certcentral: Avoid fast retry on local errors after cert is issued.Oct 25 2018, 2:51 PM
Vgutierrez mentioned this in rOSCCce7e7c1cc175: certcentral: Avoid fast retry on local errors after cert is issued.Oct 25 2018, 3:08 PM
gerritbot added a comment.Oct 26 2018, 10:49 AM

Change 469624 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/469624

Vgutierrez updated the task description. (Show Details)Oct 26 2018, 10:54 AM
gerritbot added a comment.Oct 29 2018, 2:49 PM

Change 470407 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.4

https://gerrit.wikimedia.org/r/470407

Vgutierrez mentioned this in rOSCC4ef358462d92: Release 0.4.Oct 29 2018, 3:01 PM
gerritbot added a comment.Oct 29 2018, 3:26 PM

Change 470407 merged by Vgutierrez:
[operations/software/certcentral@master] Release 0.4

https://gerrit.wikimedia.org/r/470407

gerritbot added a comment.Oct 29 2018, 3:28 PM

Change 470414 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/470414

gerritbot added a comment.Oct 29 2018, 3:28 PM

Change 470415 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/470415

gerritbot added a comment.Oct 29 2018, 3:28 PM

Change 470416 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.4

https://gerrit.wikimedia.org/r/470416

Vgutierrez mentioned this in rOSCC30aa87eda38d: certcentral: Implement slow retries on challenge rejection by ACME dir..Oct 29 2018, 3:28 PM
Vgutierrez mentioned this in rOSCCc366577b9156: certcentral: Avoid fast retry on local errors after cert is issued.
Vgutierrez mentioned this in rOSCC13379df3ef0f: Release 0.4.
gerritbot added a comment.Oct 29 2018, 3:30 PM

Change 470414 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/470414

gerritbot added a comment.Oct 29 2018, 3:30 PM

Change 470415 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/470415

gerritbot added a comment.Oct 29 2018, 3:31 PM

Change 470416 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.4

https://gerrit.wikimedia.org/r/470416

gerritbot added a comment.Oct 29 2018, 3:34 PM

Change 470418 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.4 to changelog

https://gerrit.wikimedia.org/r/470418

Vgutierrez mentioned this in rOSCC3b3c2a0a39aa: debian: Add release 0.4 to changelog.Oct 29 2018, 3:37 PM
gerritbot added a comment.Oct 29 2018, 3:39 PM

Change 470418 merged by Vgutierrez:
[operations/software/certcentral@debian] debian: Add release 0.4 to changelog

https://gerrit.wikimedia.org/r/470418

Stashbot added a subscriber: Stashbot.Oct 29 2018, 3:44 PM

Mentioned in SAL (#wikimedia-operations) [2018-10-29T15:44:00Z] <vgutierrez> uploaded certcentral 0.4 to apt.wikimedia.org (stretch) - T207927

Vgutierrez closed this task as Resolved.Nov 6 2018, 1:12 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL