@@ -308,18 +308,29 @@ async fn ngx_http_acme_update_certificates_for_issuer(
308308
309309 // Acme client wants &str and we already validated that the identifiers are valid UTF-8.
310310 let str_order = order. to_str_order ( & * alloc) ;
311- let res = client. new_certificate ( & str_order) . await ;
312311
313- let cert_next = match res {
312+ let cert_next = match client . new_certificate ( & str_order ) . await {
314313 Ok ( ref val) => {
315314 let pkey = Zeroizing :: new ( val. pkey . private_key_to_pem_pkcs8 ( ) ?) ;
316315 let x509 = X509 :: from_pem ( & val. chain ) ?;
316+ let now = Time :: now ( ) ;
317317
318- let valid =
319- TimeRange :: from_x509 ( & x509) . unwrap_or ( TimeRange :: new ( Time :: now ( ) , Time :: now ( ) ) ) ;
318+ let valid = TimeRange :: from_x509 ( & x509) . unwrap_or ( TimeRange :: new ( now, now) ) ;
320319
321- let next = match cert. write ( ) . set ( & val. chain , & pkey, valid) {
322- Ok ( x) => x,
320+ let res = cert. write ( ) . set ( & val. chain , & pkey, valid) ;
321+
322+ let next = match res {
323+ Ok ( x) => {
324+ ngx_log_error ! (
325+ NGX_LOG_INFO ,
326+ log. as_ptr( ) ,
327+ "acme certificate \" {}/{}\" issued, next renewal in {:?}" ,
328+ issuer. name,
329+ order. cache_key( ) ,
330+ ( x - now)
331+ ) ;
332+ x
333+ }
323334 Err ( err) => {
324335 ngx_log_error ! (
325336 NGX_LOG_WARN ,
@@ -329,10 +340,12 @@ async fn ngx_http_acme_update_certificates_for_issuer(
329340 order. cache_key( ) ,
330341 err
331342 ) ;
332- Time :: now ( ) + ACME_MIN_INTERVAL
343+ now + ACME_MIN_INTERVAL
333344 }
334345 } ;
335346
347+ // Write files even if we failed to update the shared zone.
348+
336349 let _ =
337350 issuer. write_state_file ( std:: format!( "{}.crt" , order. cache_key( ) ) , & val. chain ) ;
338351
@@ -343,36 +356,35 @@ async fn ngx_http_acme_update_certificates_for_issuer(
343356
344357 next
345358 }
346- Err ( ref err) => {
347- if err. is_invalid ( ) {
348- ngx_log_error ! (
349- NGX_LOG_ERR ,
350- log. as_ptr( ) ,
351- "acme certificate \" {}/{}\" request is not valid: {}" ,
352- issuer. name,
353- order. cache_key( ) ,
354- err
355- ) ;
356- cert. write ( ) . set_invalid ( & err) ;
357- continue ;
358- }
359+ Err ( ref err) if err. is_invalid ( ) => {
360+ ngx_log_error ! (
361+ NGX_LOG_ERR ,
362+ log. as_ptr( ) ,
363+ "acme certificate \" {}/{}\" request is not valid: {}" ,
364+ issuer. name,
365+ order. cache_key( ) ,
366+ err
367+ ) ;
368+ cert. write ( ) . set_invalid ( & err) ;
359369
370+ // We marked the order as invalid and will stop attempting to update it until the
371+ // next configuration reload. It should not affect the next update schedule.
372+ continue ;
373+ }
374+ Err ( ref err) => {
375+ ngx_log_error ! (
376+ NGX_LOG_WARN ,
377+ log. as_ptr( ) ,
378+ "acme certificate \" {}/{}\" request failed: {}" ,
379+ issuer. name,
380+ order. cache_key( ) ,
381+ err
382+ ) ;
360383 cert. write ( ) . set_error ( & err)
361384 }
362385 } ;
363386
364387 next = cmp:: min ( cert_next, next) ;
365-
366- if let Err ( e) = res {
367- ngx_log_error ! (
368- NGX_LOG_WARN ,
369- log. as_ptr( ) ,
370- "acme certificate \" {}/{}\" request failed: {}" ,
371- issuer. name,
372- order. cache_key( ) ,
373- e
374- ) ;
375- }
376388 }
377389 Ok ( next)
378390}
0 commit comments