Track Let's Encrypt certificate failures per-domain (ACME v2 rate limit)

This implements the minimal functionality for considering a domain's past certificate failures inside allow_domain. We believe something like this to be necessary to be able to comply to the new ACME v2 limit of 300 new orders/account/3h.

A different approach which might be worth considering is saving the statistical information to (permanent) storage, like we do with certificates. This patch instead only uses a shm-based dictionary, meaning that information might be stale in a multi-server setup. (Dictionary entries are created with an expiration date, and we're running the following patch to look for a certificate in storage before calling allow_domain, meaning that this shouldn't be a problem in practice: Cargo@b1f9715)

Author: gohai

README.md

@@ -161,6 +161,61 @@ auto_ssl:set("allow_domain", function(domain, auto_ssl, ssl_options, renewal)
 end)
 ```
 
+#### `get_failures`
+
+The optional `get_failures` function accepts a domain name argument, and can be used to retrieve statistics about failed certificate requests concerning the domain. The function will return a table with fields `first` (timestamp of first failure encountered), `last` (timestamp of most recent failure encountered), `num` (number of failures). The function will instead return `nil` if no error has been encountered.
+
+Note: the statistics are only kept for as long as the nginx instance is running. There is no sharing across multiple servers (as in a load-balanced environment) implemented.
+
+To make use of the `get_failures` function, add the following to the `http` configuration block:
+
+```nginx
+  lua_shared_dict auto_ssl_failures 1m;
+```
+
+When this shm-based dictionary exists, `lua-resty-auto-ssl` will use it to update a record it keeps for the domain whenever a Let's Encrypt certificate request fails (for both new domains, as well as renewing ones). When a certificate request is successful, `lua-resty-auto-ssl` will delete the record it has for the domain, so that future invocations will return `nil`.
+
+The `get_failures` function can be used inside `allow_domain` to implement per-domain rate-limiting, and similar rule sets.
+
+*Example:*
+
+```lua
+auto_ssl:set("allow_domain", function(domain, auto_ssl, ssl_options, renewal)
+  local failures = auto_ssl:get_failures(domain)
+  -- only attempt one certificate request per hour
+  if not failures or 3600 < ngx.now() - failures["last"] then
+    return true
+  else
+    return false
+  end
+end)
+```
+
+#### `track_failure`
+
+The optional `track_failure` function accepts a domain name argument and records a failure for this domain. This can be used to avoid repeated lookups of a domain in `allow_domain`.
+
+*Example:*
+
+```lua
+auto_ssl:set("allow_domain", function(domain, auto_ssl, ssl_options, renewal)
+  local failures = auto_ssl:get_failures(domain)
+  -- only attempt one lookup or certificate request per hour
+  if failures and ngx.now() - failures["last"] <= 3600 then
+    return false
+  end
+
+  local allow
+  -- (external lookup to check domain, e.g. via http)
+  if not allow then
+    auto_ssl:track_failure(domain)
+    return false
+  else
+    return true
+  end
+end)
+```
+
 ### `dir`
 *Default:* `/etc/resty-auto-ssl`
 

lib/resty/auto-ssl.lua

@@ -99,4 +99,62 @@ function _M.hook_server(self)
   server(self)
 end
 
+function _M.get_failures(self, domain)
+  if not ngx.shared.auto_ssl_failures then
+    ngx.log(ngx.ERR, "auto-ssl: dict auto_ssl_failures could not be found. Please add it to your configuration: `lua_shared_dict auto_ssl_failures 1m;`")
+    return
+  end
+
+  local string = ngx.shared.auto_ssl_failures:get("domain:" .. domain)
+  if string then
+    local failures, json_err = self.storage.json_adapter:decode(string)
+    if json_err then
+      ngx.log(ngx.ERR, json_err, domain)
+    end
+    if failures then
+      local mt = {
+        __concat = function(op1, op2)
+          return tostring(op1) .. tostring(op2)
+        end,
+        __tostring = function(f)
+          return "first: " .. f["first"] .. ", last: " .. f["last"] .. ", num: " .. f["num"]
+        end
+      }
+      setmetatable(failures, mt)
+      return failures
+    end
+  end
+end
+
+function _M.track_failure(self, domain)
+  if not ngx.shared.auto_ssl_failures then
+    return
+  end
+
+  local failures
+  local string = ngx.shared.auto_ssl_failures:get("domain:" .. domain)
+  if string then
+    failures = self.storage.json_adapter:decode(string)
+  end
+  if not failures then
+    failures = {}
+    failures["first"] = ngx.now()
+    failures["last"] = failures["first"]
+    failures["num"] = 1
+  else
+    failures["last"] = ngx.now()
+    failures["num"] = failures["num"] + 1
+  end
+  string = self.storage.json_adapter:encode(failures)
+  ngx.shared.auto_ssl_failures:set("domain:" .. domain, string, 2592000)
+end
+
+function _M.track_success(_, domain)
+  if not ngx.shared.auto_ssl_failures then
+    return
+  end
+
+  ngx.shared.auto_ssl_failures:delete("domain:" .. domain)
+end
+
 return _M

lib/resty/auto-ssl/jobs/renewal.lua

@@ -183,6 +183,10 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
       ngx.log(ngx.WARN, "auto-ssl: existing certificate is expired, deleting: ", domain)
       storage:delete_cert(domain)
     end
+
+    auto_ssl_instance:track_failure(domain)
+  else
+    auto_ssl_instance:track_success(domain)
   end
 
   renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value)

lib/resty/auto-ssl/ssl_certificate.lua

@@ -95,6 +95,9 @@ local function issue_cert(auto_ssl_instance, storage, domain)
   cert, err = ssl_provider.issue_cert(auto_ssl_instance, domain)
   if err then
     ngx.log(ngx.ERR, "auto-ssl: issuing new certificate failed: ", err)
+    auto_ssl_instance:track_failure(domain)
+  else
+    auto_ssl_instance:track_success(domain)
   end
 
   issue_cert_unlock(domain, storage, local_lock, distributed_lock_value)