renewal_info() yields retry-after header

christianhoelzl · christianhoelzl · commit 8e2fcd745150 · 2025-07-03T18:11:49.000+02:00
diff --git a/src/account.rs b/src/account.rs
@@ -1,4 +1,6 @@
 use std::sync::Arc;
+#[cfg(feature = "time")]
+use std::time::SystemTime;
 
 use base64::prelude::{BASE64_URL_SAFE_NO_PAD, Engine};
 use http::header::LOCATION;
@@ -143,16 +145,18 @@ impl Account {
     /// uniformly random point between the window start/end should be selected and used to
     /// schedule a renewal in the future.
     ///
+    /// The `SystemTime` is a hint from the ACME server when to again fetch the renewal window.
+    /// See <https://www.rfc-editor.org/rfc/rfc9773.html#section-4.3.2> for details.
+    ///
     /// This is only supported by some ACME servers. If the server does not support this feature,
     /// this method will return `Error::Unsupported`.
     ///
-    /// See <https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2-4> for more
-    /// information.
+    /// See <https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2-4> for more information.
     #[cfg(feature = "time")]
     pub async fn renewal_info(
         &self,
         certificate_id: &CertificateIdentifier<'_>,
-    ) -> Result<RenewalInfo, Error> {
+    ) -> Result<(RenewalInfo, SystemTime), Error> {
         let renewal_info_url = match self.inner.client.directory.renewal_info.as_deref() {
             Some(url) => url,
             None => return Err(Error::Unsupported("ACME renewal information (ARI)")),
@@ -166,7 +170,10 @@ impl Account {
             .body(Full::default())?;
 
         let rsp = self.inner.client.http.request(request).await?;
-        Problem::check::<RenewalInfo>(rsp).await
+        let retry_after =
+            crate::order::retry_after(&rsp).ok_or(Error::Str("Missing Retry-After header"))?;
+
+        Ok((Problem::check::<RenewalInfo>(rsp).await?, retry_after))
     }
 
     /// Update the account's authentication key
diff --git a/src/order.rs b/src/order.rs
@@ -622,7 +622,7 @@ impl RetryState {
 ///
 /// Retry-After = HTTP-date / delay-seconds
 /// delay-seconds  = 1*DIGIT
-fn retry_after(rsp: &BytesResponse) -> Option<SystemTime> {
+pub(crate) fn retry_after(rsp: &BytesResponse) -> Option<SystemTime> {
     let value = rsp.parts.headers.get(RETRY_AFTER)?.to_str().ok()?.trim();
     if value.is_empty() {
         return None;
diff --git a/tests/pebble.rs b/tests/pebble.rs
@@ -229,7 +229,7 @@ async fn replacement_order() -> Result<(), Box<dyn StdError>> {
         .expect("failed to fetch renewal window");
 
     // Since we revoked the initial certificate, the window start should be in the past.
-    assert!(renewal_info.suggested_window.start < OffsetDateTime::now_utc());
+    assert!(renewal_info.0.suggested_window.start < OffsetDateTime::now_utc());
 
     // So, let's go ahead and issue a replacement certificate.
     env.test::<Http01>(&NewOrder::new(&dns_identifiers(names)).replaces(initial_cert_id))
