8x48/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2026-05-18 11:53:56 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

support NO_ARI=1

Browse Source 
https://github.com/acmesh-official/acme.sh/discussions/6938
This commit is contained in:
neil
2026-05-06 20:21:21 +02:00
committed by neil
parent 36667ab656
commit ac75c54ade
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
acme.sh
View File

@@ -4870,8 +4870,12 @@ issue() {
# renewal (--renew path), the CA advertises renewalInfo, and a prior # renewal (--renew path), the CA advertises renewalInfo, and a prior
# cert exists. --issue (even with --force) is not a renewal per RFC 9773 # cert exists. --issue (even with --force) is not a renewal per RFC 9773
# which speaks of "a clear predecessor certificate" issued by this CA. # which speaks of "a clear predecessor certificate" issued by this CA.
# NO_ARI=1 (env, account.conf, or ca.conf) disables ARI entirely, so the
# "replaces" field is also omitted.
_replaces_certID="" _replaces_certID=""
if [ "$_ACME_IS_RENEW" = "1" ] && [ "$ACME_RENEWAL_INFO" ] && [ -f "$CERT_PATH" ]; then if [ "$NO_ARI" = "1" ]; then
_debug "NO_ARI=1, omitting ARI 'replaces' field from newOrder"
elif [ "$_ACME_IS_RENEW" = "1" ] && [ "$ACME_RENEWAL_INFO" ] && [ -f "$CERT_PATH" ]; then
_replaces_certID="$(_getARICertID "$CERT_PATH")" _replaces_certID="$(_getARICertID "$CERT_PATH")"
_debug "Adding ARI replaces" "$_replaces_certID" _debug "Adding ARI replaces" "$_replaces_certID"
fi fi
@@ -5703,7 +5707,11 @@ $_authorizations_map"
# with a time picked at random within the suggestedWindow. This both gives # with a time picked at random within the suggestedWindow. This both gives
# the CA full control over renewal scheduling and disperses renewals across # the CA full control over renewal scheduling and disperses renewals across
# the network so all clients don't hit the CA at the same instant. # the network so all clients don't hit the CA at the same instant.
if [ "$ACME_RENEWAL_INFO" ] && [ -f "$CERT_PATH" ] && [ -z "$_notAfter" ]; then # Set NO_ARI=1 (env, account.conf, or ca.conf) to opt out and fall back to
# the legacy time-based renewal calculation.
if [ "$NO_ARI" = "1" ]; then
_debug "NO_ARI=1, skipping ARI suggestedWindow override"
elif [ "$ACME_RENEWAL_INFO" ] && [ -f "$CERT_PATH" ] && [ -z "$_notAfter" ]; then
_ari_resp_new="$(_get_ARI "$CERT_PATH")" _ari_resp_new="$(_get_ARI "$CERT_PATH")"
_debug2 "_ari_resp_new" "$_ari_resp_new" _debug2 "_ari_resp_new" "$_ari_resp_new"
_ari_start_new="$(echo "$_ari_resp_new" | _egrep_o '"start" *: *"[^"]*' | sed 's/.*"//')" _ari_start_new="$(echo "$_ari_resp_new" | _egrep_o '"start" *: *"[^"]*' | sed 's/.*"//')"
@@ -5819,8 +5827,12 @@ renew() {
# ARI (RFC 9773): fetch the CA's suggestedWindow on every renewal check. # ARI (RFC 9773): fetch the CA's suggestedWindow on every renewal check.
# If the window has started, renew now even if Le_NextRenewTime is in the future. # If the window has started, renew now even if Le_NextRenewTime is in the future.
# Set NO_ARI=1 (env, account.conf, or ca.conf) to opt out and use only
# Le_NextRenewTime for the renewal decision.
_ari_should_renew="" _ari_should_renew=""
if [ -z "$FORCE" ] && [ -f "$CERT_PATH" ]; then if [ "$NO_ARI" = "1" ]; then
_debug "NO_ARI=1, skipping ARI suggestedWindow check"
elif [ -z "$FORCE" ] && [ -f "$CERT_PATH" ]; then
if _initAPI && [ "$ACME_RENEWAL_INFO" ]; then if _initAPI && [ "$ACME_RENEWAL_INFO" ]; then
_ari_resp="$(_get_ARI "$CERT_PATH")" _ari_resp="$(_get_ARI "$CERT_PATH")"
_debug2 "_ari_resp" "$_ari_resp" _debug2 "_ari_resp" "$_ari_resp"