From c82ff34ad2c45784293f53ebc5defc5d9fd909f5 Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Thu, 14 Mar 2024 15:35:35 -0600 Subject: [PATCH] Retry with new account if account disappeared remotely (#269) * Retry with new account if account disappeared remotely * Emit log when account is missing from ACME server --- account.go | 10 ++++++++++ acmeissuer.go | 40 ++++++++++++++++++++++++++++++++++------ 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/account.go b/account.go index f3cb755a..97fdadf6 100644 --- a/account.go +++ b/account.go @@ -171,6 +171,16 @@ func (am *ACMEIssuer) saveAccount(ctx context.Context, ca string, account acme.A return storeTx(ctx, am.config.Storage, all) } +// deleteAccountLocally deletes the registration info and private key of the account +// for the given CA from storage. +func (am *ACMEIssuer) deleteAccountLocally(ctx context.Context, ca string, account acme.Account) error { + primaryContact := getPrimaryContact(account) + if err := am.config.Storage.Delete(ctx, am.storageKeyUserReg(ca, primaryContact)); err != nil { + return err + } + return am.config.Storage.Delete(ctx, am.storageKeyUserPrivateKey(ca, primaryContact)) +} + // setEmail does everything it can to obtain an email address // from the user within the scope of memory and storage to use // for ACME TLS. If it cannot get an email address, it does nothing diff --git a/acmeissuer.go b/acmeissuer.go index 580a7721..3e7a75c2 100644 --- a/acmeissuer.go +++ b/acmeissuer.go @@ -393,12 +393,40 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest, } } - certChains, err := client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr) - if err != nil { - return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory) - } - if len(certChains) == 0 { - return nil, usingTestCA, fmt.Errorf("no certificate chains") + // do this in a loop because there's an error case that may necessitate a retry, but not more than once + var certChains []acme.Certificate + for i := 0; i < 2; i++ { + certChains, err = client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr) + if err != nil { + var prob acme.Problem + if errors.As(err, &prob) && prob.Type == acme.ProblemTypeAccountDoesNotExist { + am.Logger.Warn("ACME account does not exist on server; attempting to recreate", + zap.Strings("account_contact", client.account.Contact), + zap.String("account_location", client.account.Location), + zap.Object("problem", prob)) + + // the account we have no longer exists on the CA, so we need to create a new one; + // we could use the same key pair, but this is a good opportunity to rotate keys + // (see https://caddy.community/t/acme-account-is-not-regenerated-when-acme-server-gets-reinstalled/22627) + // (basically this happens if the CA gets reset or reinstalled; usually just internal PKI) + err := am.deleteAccountLocally(ctx, client.iss.CA, client.account) + if err != nil { + return nil, usingTestCA, fmt.Errorf("%v ACME account no longer exists on CA, but resetting our local copy of the account info failed: %v", nameSet, err) + } + + // recreate account and try again + client, err = am.newACMEClientWithAccount(ctx, useTestCA, false) + if err != nil { + return nil, false, err + } + continue + } + return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory) + } + if len(certChains) == 0 { + return nil, usingTestCA, fmt.Errorf("no certificate chains") + } + break } preferredChain := am.selectPreferredChain(certChains)