How to do Round Robin on cert_issuer?

job_noam · October 10, 2023, 1:26pm

Hi,

Sometimes, we have many requests for new certificates, and we get the rate limit very fast.
Today we’re working like this:

        cert_issuer acme https://dv.acme-v02.api.pki.goog/directory {
                eab key key
        }
        cert_issuer acme https://acme-v02.api.letsencrypt.org/directory
        cert_issuer acme https://api.buypass.com/acme/directory
        cert_issuer acme https://acme.zerossl.com/v2/DV90 {
                eab key key
        }

Today the ACME is working one by one in the order of the list. I wanted it to work in round robin so it will call to different AMCE every time so it will reduce the chance for block.

Thanks

matt · October 10, 2023, 5:45pm

CertMagic recently added support for “issuer policies” – i.e. the ability to customize how an issuer is chosen; right now there’s “First” and “First Random” – there’s no round robin yet because that requires state and that’s more complicated, and there’s little evidence that it would be objectively more suitable than random in most cases.

I don’t think I’ve exposed these options in Caddy yet. I’m a little busy right now but it’s something that I could prioritize with a sufficient sponsorship.

francislavoie · October 10, 2023, 7:45pm

By “many”, how many are you talking about? Curious to get some rough numbers so we better understand how Caddy is being used.

system · November 9, 2023, 7:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.