DNS Challenge: add validation-delay plugin option

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm
index b3fc069c4a8219f91a510192a40aa96a9027b637..2b4f051807c5788bd8be518097c22a198e2d89a5 100644 (file)
--- a/src/PVE/ACME/DNSChallenge.pm
+++ b/src/PVE/ACME/DNSChallenge.pm
@@ -134,6 +134,17 @@ sub properties {
            type => 'string',
            description => 'DNS plugin data.',
        },
+       'validation-delay' => {
+           type => 'integer',
+           description => 'Extra delay in seconds to wait before requesting validation.'
+               .' Allows to cope with a long TTL of DNS records.',
+           # low default, but our bet is that the acme-challenge domain isn't
+           # cached at all, so it hopefully shouldn't run into TTL issues
+           default => 30,
+           optional => 1,
+           minimum => 0,
+           maximum => 2 * 24 * 60 * 60,
+       }
     };
 }
 
@@ -143,6 +154,7 @@ sub options {
        data => { optional => 1 },
        nodes => { optional => 1 },
        disable => { optional => 1 },
+       'validation-delay' => { optional => 1 },
     };
 }
 
@@ -188,6 +200,15 @@ sub setup {
 
     my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
     print "Add TXT record: _acme-challenge.$domain\n";
+
+    # FIXME: probe ourself for propagation of TXT record, while not 100%
+    # failsafe it's good enough of a heuristic to do away with fixed sleep
+    # intervalls - original acme.sh employs that heuristic too.
+    my $delay = $data->{'validation-delay'} // 30;
+    if ($delay > 0) {
+       print "Sleeping $delay seconds to wait for TXT record propagation\n";
+       sleep($delay); # don't care for EINTR
+    }
 }
 
 sub teardown {