[Bug]: ACME does not have a pending request limit

[LeeTeng2001]

Steps to Reproduce

Create a new step ca instance, request lots of cert authorisation for different domain at 1 minute interval. Old pending request will not be terminated, badger db 2 will be filled out and consume a huge portion of memory/disk space. Occationally, the CPU usage will spike too.

Your Environment

• OS - Rocky Linux 8.5 (Green Obsidian)
• step-ca Version - Smallstep CA/0.24.2 (linux/amd64)

Expected Behavior

Have a pending request limit per domain / clear old pending authorisation upon receiving new authorisation request

Actual Behavior

Does none of the expected behaviour

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

I can work on this issue if this is marked as a valid bug

[LeeTeng2001]

Relevant issue? #601

[hslatman]

Hi @LeeTeng2001, I'm going to close this issue, because it's a duplicate of #601.

In the short term we advise monitoring your CA logs for abnormal behavior. You could also try using a different database backend, since most reports seem to be about BadgerDB filling up.

We might implement support for responding with a rate limit, but it would still depend on the ACME client to handle that correctly. It'll require more state to be kept, so it's not trivial to implement. Also, clients could still misbehave within the rate limits, so it doesn't entirely solve the problem.