Comments (3)
I have no problem with a real-time generation in response to the request. That keeps the generation load low when there are no incoming requests. Using the request to trigger generation is perfectly reasonable. If the server is stressed, and it doesn't have a pre-made cert ready, it can always respond with a 503 and a Retry-After.
As for unauthenticated requests generating load, it's easy to check how old the current cert is before starting the new one. I have no concerns here regarding strange corner cases.
Leave this to the discretion of implementers. Obviously, pre-generation is going to give you the most predictable load profile, but don't force it on everyone.
from acme-spec.
+1 to what Martin said. This is not a protocol issue, it's up to
implementors.
On Mon, Jan 26, 2015 at 11:20 PM, Martin Thomson [email protected]
wrote:
I have no problem with a real-time generation in response to the request.
That keeps the generation load low when there are no incoming requests.
Using the request to trigger generation is perfectly reasonable. If the
server is stressed, and it doesn't have a pre-made cert ready, it can
always respond with a 503 and a Retry-After.As for unauthenticated requests generating load, it's easy to check how
old the current cert is before starting the new one. I have no concerns
here regarding strange corner cases.Leave this to the discretion of implementers. Obviously, pre-generation is
going to give you the most predictable load profile, but don't force it on
everyone.—
Reply to this email directly or view it on GitHub
#59 (comment)
.
from acme-spec.
Thinking on this further, I've had some evolution in thinking. I think it's pretty critical that refresh be client-initiated, probably using something like a new-cert
transaction but specifying the base certificate and the new validity interval.
from acme-spec.
Related Issues (20)
- 7.4 DNS Challenge *pre*pends label HOT 5
- 9.1 update outbound cxn methods HOT 1
- Differing description of {DVSNI, DNS} validation mechanism in 7.2, 9.2 HOT 1
- Add RECOMMENDED line to stronger DNS validation HOT 1
- Dns challenge signature is too long for dns TXT record HOT 6
- Specify type of "true" / "false" value for "tls" field. HOT 3
- .well-known ACME challenge files blocked 403 Forbidden in some Nginx configurations HOT 8
- method needed for forwarding *.acme.invalid to correct server HOT 3
- Register .well-known/acme-challenge with IANA HOT 2
- Describe 'validationRecord' (part of a challenge-resource) HOT 1
- Usage of RFC3339 - "5.3 Rarely Used Options" HOT 3
- Clarification on which spec to use HOT 2
- ASN1_mbstring_ncopy string too long with multiple alt-names HOT 3
- Domain validation and usage of userkey pair discussion HOT 1
- Travis integration may expose integration keys HOT 6
- http-01 and dns-01 challenges: just use account key HOT 1
- dns-01 walk-up HOT 1
- Letsencrypt behind a firewall with NAT HOT 4
- --agree-tos in ACME clients: acceptable or not? HOT 2
- Add alternate hostname for http challange HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-spec.