Previously the dns timeout timer was initialized in ACME_RSLV_WAIT,
before the initial dns-delay expires. This meant the countdown started
before any DNS request was actually sent, so the effective timeout was
shorter than expected by one dns-delay period.
Move the initialization to ACME_RSLV_TRIGGER so the timer starts only
when the first DNS resolution attempt is triggered. Update the
documentation to clarify this behaviour.
is a time expressed in HAProxy time format (e.g. "10m", "600s"). Default is
600 seconds.
- If the next DNS resolution attempt would be triggered after the timeout has
- elapsed (taking into account "dns-delay"), the challenge is aborted with an
- error. This prevents an infinite retry loop when DNS propagation fails.
+ The timer starts from the moment the first DNS resolution attempt is
+ triggered (after the initial "dns-delay"). If the next resolution attempt
+ would be triggered after the timeout has elapsed, the challenge is aborted
+ with an error. This prevents an infinite retry loop when DNS propagation
+ fails.
See also: "dns-delay"
goto nextreq;
}
- /* set the start time of the DNS checks so we can apply
- * the timeout */
- if (ctx->dnsstarttime == 0)
- ctx->dnsstarttime = ns_to_sec(now_ns);
-
/* Check if the next resolution would be triggered too
* late according to the dns_timeout and abort is
* necessary. */
case ACME_RSLV_TRIGGER: {
struct acme_auth *auth;
+ /* set the start time of the DNS checks so we can apply
+ * the timeout */
+ if (ctx->dnsstarttime == 0)
+ ctx->dnsstarttime = ns_to_sec(now_ns);
+
/* if it was trigger by the CLI, still wait dns_delay if
* not everything is ready, or skip and to to
* ACME_CHALLENGE */
projects / thirdparty / haproxy.git / commitdiff
