Page MenuHomePhabricator

Take into account LE rate limits on sensitive operations
Closed, ResolvedPublic

Description

As discussed yesterday in -traffic, we must take into account certain rate limits imposed by LE to avoid reaching them ourselves and kind of DoS-ing the certcentral service.

  • 5 failed validations per account, per hostname, per hour --> certcentral should be able to delay the retries issuing a certificate which validations are failing systematically
  • 5 duplicates per week (exact same CN/SAN list, account/crypto doesn't matter). --> certcentral should be able to delay the retries iff the certificate has been issued by LE but for some reason certcentral fails to persist on disk (host runs out of disk, issues on certificate serialization...)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2018, 7:50 AM
Vgutierrez triaged this task as High priority.

Change 469590 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/469590

Change 469590 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/469590

Vgutierrez updated the task description. (Show Details)Oct 25 2018, 10:26 AM

Change 469624 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/469624

Change 469624 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/469624

Vgutierrez updated the task description. (Show Details)Oct 26 2018, 10:54 AM

Change 470407 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.4

https://gerrit.wikimedia.org/r/470407

Change 470407 merged by Vgutierrez:
[operations/software/certcentral@master] Release 0.4

https://gerrit.wikimedia.org/r/470407

Change 470414 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/470414

Change 470415 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/470415

Change 470416 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.4

https://gerrit.wikimedia.org/r/470416

Change 470414 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Implement slow retries on challenge rejection by ACME dir.

https://gerrit.wikimedia.org/r/470414

Change 470415 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Avoid fast retry on local errors after cert is issued

https://gerrit.wikimedia.org/r/470415

Change 470416 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.4

https://gerrit.wikimedia.org/r/470416

Change 470418 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.4 to changelog

https://gerrit.wikimedia.org/r/470418

Change 470418 merged by Vgutierrez:
[operations/software/certcentral@debian] debian: Add release 0.4 to changelog

https://gerrit.wikimedia.org/r/470418

Mentioned in SAL (#wikimedia-operations) [2018-10-29T15:44:00Z] <vgutierrez> uploaded certcentral 0.4 to apt.wikimedia.org (stretch) - T207927

Vgutierrez closed this task as Resolved.Nov 6 2018, 1:12 PM