Regarding Retrying Challenges


#1

So a user of my client recent raised an issue requesting a way to retry challenge validations before giving up and needing to submit a new order (and thereby get new challenge tokens to publish). My initial recollection of how the ACME protocol works is that once you’ve asked the server to validate a challenge and it fails, it marks the challenge, auths, and order all as invalid. Subsequently, your only option is to start over with a new order. This seems to be backed up by semi-recent community threads and my own testing against the staging server.

However, section 8.2 of the recently finalized spec makes it sound like the ACME server should be allowing some amount of retries on challenges.

Clients can explicitly request a retry by re-sending their response
to a challenge in a new POST request (with a new nonce, etc.). This
allows clients to request a retry when the state has changed (e.g.,
after firewall rules have been updated). Servers SHOULD retry a
request immediately on receiving such a POST request. In order to
avoid denial-of-service attacks via client-initiated retries, servers
SHOULD rate-limit such requests.

Is this a case of the spec changing fairly late in the process and Boulder not having caught up yet? Am I interpreting things incorrectly?


#2

Hi @rmbolger,

Thanks for the question!

Servers SHOULD retry a request

The crux here is that this is a SHOULD in the RFC 2119 sense. Boulder elects not to support retries and the spec allows ACME servers to make this choice.

Note also that Section 7.1.6 outlines that retries are intended to happen when the authorization is status “processing”. Boulder never returns an authorization in that state, we always transition an authorization from “pending” to “valid” or “invalid” (or “expired”).

I can’t remember when the notion of retrying challenges was introduced but it isn’t on our road map to implement.

Hope that helps clarify!


#3

Ah ha. Of course, those pesky SHOULD’s are always muddying the spec waters. Makes sense now. Thanks.