MEDIUM: acme: initialize the dns timer starting from the first DNS request

Previously the dns timeout timer was initialized in ACME_RSLV_WAIT,
before the initial dns-delay expires. This meant the countdown started
before any DNS request was actually sent, so the effective timeout was
shorter than expected by one dns-delay period.

Move the initialization to ACME_RSLV_TRIGGER so the timer starts only
when the first DNS resolution attempt is triggered. Update the
documentation to clarify this behaviour.

doc/configuration.txt

@@ -32336,9 +32336,11 @@ dns-timeout <time>
   is a time expressed in HAProxy time format (e.g. "10m", "600s"). Default is
   600 seconds.
 
-  If the next DNS resolution attempt would be triggered after the timeout has
-  elapsed (taking into account "dns-delay"), the challenge is aborted with an
-  error. This prevents an infinite retry loop when DNS propagation fails.
+  The timer starts from the moment the first DNS resolution attempt is
+  triggered (after the initial "dns-delay"). If the next resolution attempt
+  would be triggered after the timeout has elapsed, the challenge is aborted
+  with an error. This prevents an infinite retry loop when DNS propagation
+  fails.
 
   See also: "dns-delay"
 

src/acme.c

@@ -2435,11 +2435,6 @@ re:
 				goto nextreq;
 			}
 
-			/* set the start time of the DNS checks so we can apply
-			 * the timeout */
-			if (ctx->dnsstarttime == 0)
-				 ctx->dnsstarttime = ns_to_sec(now_ns);
-
 			/* Check if the next resolution would be triggered too
 			 * late according to the dns_timeout and abort is
 			 * necessary. */
@@ -2463,6 +2458,11 @@ re:
 		case ACME_RSLV_TRIGGER: {
 			struct acme_auth *auth;
 
+			/* set the start time of the DNS checks so we can apply
+			 * the timeout */
+			if (ctx->dnsstarttime == 0)
+				 ctx->dnsstarttime = ns_to_sec(now_ns);
+
 			/* if it was trigger by the CLI, still wait dns_delay if
 			 * not everything is ready, or skip and to to
 			 * ACME_CHALLENGE */