tls: Make the on-demand rate limiter actually work

This required a custom rate limiter implementation in CertMagic

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/klauspost/compress v1.8.6
 	github.com/klauspost/cpuid v1.2.1
 	github.com/lucas-clemente/quic-go v0.12.1
-	github.com/mholt/certmagic v0.8.0
+	github.com/mholt/certmagic v0.8.3
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190906142622-1265e9b150c6
 	github.com/rs/cors v1.7.0
 	github.com/russross/blackfriday/v2 v2.0.1

go.sum

@@ -172,8 +172,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/certmagic v0.8.0 h1:WEQhZ4+ySd2cQz0Gf1iEk6xsUaEmmHe10SZiiKd7BdY=
+github.com/mholt/certmagic v0.8.3 h1:JOUiX9IAZbbgyjNP2GY6v/6lorH+9GkZsc7ktMpGCSo=
-github.com/mholt/certmagic v0.8.0/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ=
+github.com/mholt/certmagic v0.8.3/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ=
 github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=

modules/caddytls/acmemanager.go

@@ -138,14 +138,10 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
 							return err
 						}
 					}
-					// check the rate limiter last, since
+					// check the rate limiter last because
-					// even checking consumes a token; so
+					// doing so makes a reservation
-					// don't even bother checking if the
+					if !onDemandRateLimiter.Allow() {
-					// other regulations fail anyway
+						return fmt.Errorf("on-demand rate limit exceeded")
-					if onDemand.RateLimit != nil {
-						if !onDemandRateLimiter.Allow() {
-							return fmt.Errorf("on-demand rate limit exceeded")
-						}
 					}
 				}
 				return nil

modules/caddytls/tls.go

@@ -26,7 +26,6 @@ import (
 	"github.com/caddyserver/caddy/v2"
 	"github.com/go-acme/lego/v3/challenge"
 	"github.com/mholt/certmagic"
-	"golang.org/x/time/rate"
 )
 
 func init() {
@@ -104,13 +103,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 
 	// on-demand rate limiting
 	if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
-		limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
+		onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
-		onDemandRateLimiter.SetLimit(limit)
+		onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
-		onDemandRateLimiter.SetBurst(t.Automation.OnDemand.RateLimit.Burst)
 	} else {
-		// if no rate limit is specified, be sure to remove any existing limit
+		// remove any existing rate limiter
-		onDemandRateLimiter.SetLimit(0)
+		onDemandRateLimiter.SetMaxEvents(0)
-		onDemandRateLimiter.SetBurst(0)
+		onDemandRateLimiter.SetWindow(0)
 	}
 
 	// load manual/static (unmanaged) certificates - we do this in
@@ -384,7 +382,7 @@ type ManagerMaker interface {
 
 // These perpetual values are used for on-demand TLS.
 var (
-	onDemandRateLimiter = rate.NewLimiter(0, 1)
+	onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
 	onDemandAskClient   = &http.Client{
 		Timeout: 10 * time.Second,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {