-
Notifications
You must be signed in to change notification settings - Fork 454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please add support for asynchronous order finalisation #2056
Comments
@dharasis1993 could you elaborate on what exactly should be changed? It's not entirely clear whereto your link points, nor is it clear what's missing in our implementation. |
I wanted to know whether Small Step supports Async order finalisation or not. As per the code - Lines 310 to 321 in df13aae
Here the cert is created instantly in /finalize api and status of order is changed to valid. What if a client time-out during this phase? Is there any way that the client can poll the order? |
@dharasis1993 you're right that the certificate is signed "synchronously" there as soon as the client requests the |
What if the db.CreateCertificate takes time to return? In that case the client may be timed-out. I have seen these in case of Apple acme client. |
Gotcha, so you're looking for support of this part of the RFC:
If issuance is indeed really slow, I would try to look into finding the root cause of slowness and see if that can be improved. Also I would be curious if the Apple ACME client does support the |
As of now Apple client don't support processing state. Though i am searching a formal documentation from Apple on this regards. But definitely it can be enhanced by Apple. The hacking seems little difficult as far as nonce and signature verification are in place. Finalising order async'ly may enhance the overall certificate issuance success rate. |
In our use-case, we noticed cert-manager has a hard time-out on the /finalize request after ~1 minute waiting, but if you return the order as Processing it will respect the "Retry-After" header and poll for the Valid order. |
Agree. It is a valid use-case. |
This asynchronous flow has always been specified in RFC8555
https://datatracker.ietf.org/doc/html/rfc8555#:~:text=A%20request%20to%20finalize%20an%20order%20will%20result%20in%20error,to%20the%20%22certificate%22%20field%20of%20the%20order.%20%20Download%20the%0A%20%20%20%20%20%20certificate.
The text was updated successfully, but these errors were encountered: