Re-read agent.toml on ACME retry in bootroot-agent

After secrets are rotated and OpenBao Agent renders new values to
agent.toml, the ACME retry loop previously reused stale in-memory
config. Each retry attempt now re-reads config from disk so that
freshly rendered credentials (EAB, HMAC) are picked up without
restarting the daemon.

The default retry backoff window is also extended from [5, 10, 30] s
(45 s total) to [5, 10, 30, 60] s (105 s total), giving at least one
full static_secret_render_interval cycle (30 s) of headroom before
retries are exhausted.

Closes #303

Author: sehkone

src/config.rs

@@ -292,7 +292,7 @@ mod tests {
         assert_eq!(settings.acme.directory_fetch_max_delay_secs, 10);
         assert_eq!(settings.acme.poll_attempts, 15);
         assert_eq!(settings.acme.poll_interval_secs, 2);
-        assert_eq!(settings.retry.backoff_secs, vec![5, 10, 30]);
+        assert_eq!(settings.retry.backoff_secs, vec![5, 10, 30, 60]);
         assert_eq!(settings.scheduler.max_concurrent_issuances, 3);
         assert!(!settings.trust.verify_certificates);
 

src/config/defaults.rs

@@ -17,7 +17,7 @@ const DEFAULT_DIRECTORY_FETCH_BASE_DELAY_SECS: u64 = 1;
 const DEFAULT_DIRECTORY_FETCH_MAX_DELAY_SECS: u64 = 10;
 const DEFAULT_POLL_ATTEMPTS: u64 = 15;
 const DEFAULT_POLL_INTERVAL_SECS: u64 = 2;
-const DEFAULT_RETRY_BACKOFF_SECS: [u64; 3] = [5, 10, 30];
+const DEFAULT_RETRY_BACKOFF_SECS: [u64; 4] = [5, 10, 30, 60];
 const DEFAULT_HOOK_TIMEOUT_SECS: u64 = 30;
 const DEFAULT_MAX_CONCURRENT_ISSUANCES: u64 = 3;
 const DEFAULT_VERIFY_CERTIFICATES: bool = false;

src/daemon.rs

@@ -257,10 +257,30 @@ async fn issue_with_retry(
     settings: &config::Settings,
     profile: &config::DaemonProfileSettings,
     eab: Option<eab::EabCredentials>,
+    config_path: &Path,
 ) -> anyhow::Result<()> {
     let backoff = select_retry_backoff(settings, profile);
+    let profile_domain = config::profile_domain(settings, profile);
+    let config_path_owned = config_path.to_path_buf();
     issue_with_retry_inner(
-        || acme::issue_certificate(settings, profile, eab.clone()),
+        || {
+            let path = config_path_owned.clone();
+            let domain = profile_domain.clone();
+            let eab = eab.clone();
+            async move {
+                let fresh = config::Settings::new(Some(path))?;
+                let fresh_profile = fresh
+                    .profiles
+                    .iter()
+                    .find(|p| config::profile_domain(&fresh, p) == domain)
+                    .ok_or_else(|| {
+                        anyhow::anyhow!("Profile '{domain}' not found in reloaded config")
+                    })?
+                    .clone();
+                let fresh_eab = profile::resolve_profile_eab(&fresh_profile, eab);
+                acme::issue_certificate(&fresh, &fresh_profile, fresh_eab).await
+            }
+        },
         |duration| tokio::time::sleep(duration),
         backoff,
     )
@@ -377,7 +397,7 @@ async fn check_and_renew_profile(
             );
             let _permit = semaphore.acquire().await?;
             let profile_eab = profile::resolve_profile_eab(profile, default_eab);
-            match issue_with_retry(settings, profile, profile_eab).await {
+            match issue_with_retry(settings, profile, profile_eab, &hardening.config_path).await {
                 Ok(()) => {
                     maybe_harden_tls_verify(
                         settings,