Parallel instances of ACME client


#1

Hi, we are about to develop our own ACME client for a bigger organization with many web servers and domains. Are there any hints/experiences to share if we want to run the client in more parallel instances? For example:

  • Is it better for each instrance to have its own account at Lets Encrypt? Otherwise I guess there could be a problem with nonces if they were related to an account - is it so? Or are they related to something like IP address of the client?
  • Could there be some trouble if the instances share the same authorization keys?
  • Anything else?
    Thanks, Petr

#2

Nonces aren’t ordered or tied to an ACME account (guaranteed by the spec, I think), but they tend to be tied to the IP address of the requester (in practice). They can go bad at any time (e.g. if a Boulder instance is taken down and your request goes to a different one), so you should be prepared to retry with a new nonce if you encounter a bad nonce error, as the spec instructs you to do:

When a server rejects a request because its nonce value was
unacceptable (or not present), it MUST provide HTTP status code 400
(Bad Request), and indicate the ACME error type
“urn:ietf:params:acme:error:badNonce”. An error response with the
“badNonce” error type MUST include a Replay-Nonce header with a fresh
nonce. On receiving such a response, a client SHOULD retry the
request using the new nonce.

Beware of rate limits that apply on a per-account basis as well as per-IP address basis.

https://letsencrypt.org/docs/integration-guide/#one-account-or-many - either choice is valid. e.g. if the end-user has access to the account key, then certainly you want to use separate accounts.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.