Start renewal job on random timer offset (ACME v2 rate limit)

This is to increase the chances that environments using multiple servers won't have all instances renewing at the same time, which might tie up all orders available to the account, and thus prevent certificates for new domains from being issued.

Author: gohai

lib/resty/auto-ssl/init_worker.lua

@@ -2,6 +2,7 @@ local random_seed = require "resty.auto-ssl.utils.random_seed"
 local renewal_job = require "resty.auto-ssl.jobs.renewal"
 local shell_blocking = require "shell-games"
 local start_sockproc = require "resty.auto-ssl.utils.start_sockproc"
+local timer_rand = math.random()
 
 return function(auto_ssl_instance)
   local base_dir = auto_ssl_instance:get("dir")
@@ -37,5 +38,5 @@ return function(auto_ssl_instance)
     storage_adapter:setup_worker()
   end
 
-  renewal_job.spawn(auto_ssl_instance)
+  renewal_job.spawn(auto_ssl_instance, timer_rand)
 end

lib/resty/auto-ssl/jobs/renewal.lua

@@ -270,8 +270,8 @@ local function renew(premature, auto_ssl_instance)
   end
 end
 
-function _M.spawn(auto_ssl_instance)
-  local ok, err = ngx.timer.at(auto_ssl_instance:get("renew_check_interval"), renew, auto_ssl_instance)
+function _M.spawn(auto_ssl_instance, timer_rand)
+  local ok, err = ngx.timer.at(timer_rand * auto_ssl_instance:get("renew_check_interval"), renew, auto_ssl_instance)
   if not ok then
     ngx.log(ngx.ERR, "auto-ssl: failed to create timer: ", err)
     return