ACME account login refactoring:

* Implement backoff for login errors
* Log new account URL at INFO
* Write account URL to state directory

Author: bavshin-f5

src/acme.rs

@@ -37,6 +37,11 @@ const DEFAULT_RETRY_INTERVAL: Duration = Duration::from_secs(1);
 const MAX_RETRY_INTERVAL: Duration = Duration::from_secs(8);
 static REPLAY_NONCE: http::HeaderName = http::HeaderName::from_static("replay-nonce");
 
+pub enum NewAccountOutput<'a> {
+    Created(&'a str),
+    Found(&'a str),
+}
+
 pub struct NewCertificateOutput {
     pub chain: Bytes,
     pub pkey: PKey<Private>,
@@ -246,7 +251,7 @@ where
         Ok(res)
     }
 
-    pub async fn new_account(&mut self) -> Result<(), NewAccountError> {
+    pub async fn new_account(&mut self) -> Result<NewAccountOutput<'_>, NewAccountError> {
         self.directory = self
             .get_directory()
             .await
@@ -297,7 +302,11 @@ where
 
         self.account = Some(key_id.to_string());
 
-        Ok(())
+        let key_id = self.account.as_ref().unwrap();
+        match res.status() {
+            http::StatusCode::CREATED => Ok(NewAccountOutput::Created(key_id)),
+            _ => Ok(NewAccountOutput::Found(key_id)),
+        }
     }
 
     pub fn is_ready(&self) -> bool {

src/conf/issuer.rs

@@ -118,6 +118,15 @@ impl Issuer {
             .is_some_and(|x| x.read().state != IssuerState::Invalid)
     }
 
+    /// Marks the last issuer login attempt as failed.
+    pub fn set_error(&self, err: &dyn StdError) -> Time {
+        if let Some(data) = self.data.as_ref() {
+            data.write().set_error(err)
+        } else {
+            Time::MAX
+        }
+    }
+
     /// Marks the issuer as misconfigured or otherwise unusable.
     pub fn set_invalid(&self, err: &dyn StdError) {
         if let Some(data) = self.data.as_ref() {

src/lib.rs

@@ -212,23 +212,6 @@ async fn ngx_http_acme_update_certificates(amcf: &AcmeMainConfig) -> Time {
         let issuer_next = match ngx_http_acme_update_certificates_for_issuer(amcf, issuer).await {
             Ok(x) => x,
             Err(err) => {
-                // Check if the server rejected this ACME account configuration.
-                if err
-                    .downcast_ref::<acme::error::NewAccountError>()
-                    .is_some_and(|err| err.is_invalid())
-                {
-                    ngx_log_error!(
-                        NGX_LOG_ERR,
-                        log.as_ptr(),
-                        "acme issuer \"{}\" is not valid: {}",
-                        issuer.name,
-                        err
-                    );
-
-                    issuer.set_invalid(err.as_ref());
-                    continue;
-                }
-
                 ngx_log_error!(
                     NGX_LOG_INFO,
                     log.as_ptr(),
@@ -301,7 +284,47 @@ async fn ngx_http_acme_update_certificates_for_issuer(
         }
 
         if !client.is_ready() {
-            client.new_account().await?;
+            match client.new_account().await {
+                Ok(acme::NewAccountOutput::Created(x)) => {
+                    ngx_log_error!(
+                        NGX_LOG_INFO,
+                        log.as_ptr(),
+                        "acme account \"{}\" created for issuer \"{}\"",
+                        x,
+                        issuer.name
+                    );
+                    let _ = issuer.write_state_file("account.url", x.as_bytes());
+                }
+                Ok(acme::NewAccountOutput::Found(x)) => {
+                    ngx_log_debug!(
+                        log.as_ptr(),
+                        "acme account \"{}\" found for issuer \"{}\"",
+                        x,
+                        issuer.name
+                    );
+                }
+                Err(err) if err.is_invalid() => {
+                    ngx_log_error!(
+                        NGX_LOG_ERR,
+                        log.as_ptr(),
+                        "acme account validation failed for issuer \"{}\": {}",
+                        issuer.name,
+                        err
+                    );
+                    issuer.set_invalid(&err);
+                    return Ok(Time::MAX);
+                }
+                Err(err) => {
+                    ngx_log_error!(
+                        NGX_LOG_WARN,
+                        log.as_ptr(),
+                        "acme account retrieval failed for issuer \"{}\": {}",
+                        issuer.name,
+                        err
+                    );
+                    return Ok(issuer.set_error(&err));
+                }
+            }
         }
 
         let alloc = crate::util::OwnedPool::new(nginx_sys::NGX_DEFAULT_POOL_SIZE as _, log)

src/state/issuer.rs

@@ -5,6 +5,7 @@
 
 use core::error::Error as StdError;
 use core::ptr;
+use core::time::Duration;
 
 use ngx::allocator::{AllocError, TryCloneIn};
 use ngx::collections::Queue;
@@ -13,10 +14,12 @@ use ngx::sync::RwLock;
 
 use super::certificate::{CertificateContext, CertificateContextInner, SharedCertificateContext};
 use crate::conf::issuer::Issuer;
+use crate::time::{jitter, Time};
 
 #[derive(Debug, Eq, PartialEq)]
 pub enum IssuerState {
     Idle,
+    Error { fails: usize },
     Invalid,
 }
 
@@ -49,6 +52,25 @@ impl IssuerContext {
         })
     }
 
+    pub fn set_error(&mut self, _err: &dyn StdError) -> Time {
+        let fails = match self.state {
+            IssuerState::Error { fails } => fails + 1,
+            IssuerState::Invalid => return Time::MAX,
+            _ => 1,
+        };
+
+        self.state = IssuerState::Error { fails };
+
+        let interval = Duration::from_secs(match fails {
+            1 => 60,
+            2 => 600,
+            3 => 6000,
+            _ => 24 * 60 * 60,
+        });
+
+        Time::now() + jitter(interval, 2)
+    }
+
     pub fn set_invalid(&mut self, _err: &dyn StdError) {
         self.state = IssuerState::Invalid;
     }