From 5f87aeac29838b974cb432cda5498e0fada3fc3e Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 12 Feb 2024 14:06:03 -0700 Subject: [PATCH 1/2] Retry with new account if account disappeared remotely --- account.go | 10 ++++++++++ acmeissuer.go | 35 +++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/account.go b/account.go index f3cb755a..97fdadf6 100644 --- a/account.go +++ b/account.go @@ -171,6 +171,16 @@ func (am *ACMEIssuer) saveAccount(ctx context.Context, ca string, account acme.A return storeTx(ctx, am.config.Storage, all) } +// deleteAccountLocally deletes the registration info and private key of the account +// for the given CA from storage. +func (am *ACMEIssuer) deleteAccountLocally(ctx context.Context, ca string, account acme.Account) error { + primaryContact := getPrimaryContact(account) + if err := am.config.Storage.Delete(ctx, am.storageKeyUserReg(ca, primaryContact)); err != nil { + return err + } + return am.config.Storage.Delete(ctx, am.storageKeyUserPrivateKey(ca, primaryContact)) +} + // setEmail does everything it can to obtain an email address // from the user within the scope of memory and storage to use // for ACME TLS. If it cannot get an email address, it does nothing diff --git a/acmeissuer.go b/acmeissuer.go index 580a7721..35fc3b71 100644 --- a/acmeissuer.go +++ b/acmeissuer.go @@ -393,12 +393,35 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest, } } - certChains, err := client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr) - if err != nil { - return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory) - } - if len(certChains) == 0 { - return nil, usingTestCA, fmt.Errorf("no certificate chains") + // do this in a loop because there's an error case that may necessitate a retry, but not more than once + var certChains []acme.Certificate + for i := 0; i < 2; i++ { + certChains, err = client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr) + if err != nil { + var prob acme.Problem + if errors.As(err, &prob) && prob.Type == acme.ProblemTypeAccountDoesNotExist { + // the account we have no longer exists on the CA, so we need to create a new one; + // we could use the same key pair, but this is a good opportunity to rotate keys + // (see https://caddy.community/t/acme-account-is-not-regenerated-when-acme-server-gets-reinstalled/22627) + // (basically this happens if the CA gets reset or reinstalled; usually just internal PKI) + err := am.deleteAccountLocally(ctx, client.iss.CA, client.account) + if err != nil { + return nil, usingTestCA, fmt.Errorf("%v ACME account no longer exists on CA, but resetting our local copy of the account info failed: %v", nameSet, err) + } + + // recreate account and try again + client, err = am.newACMEClientWithAccount(ctx, useTestCA, false) + if err != nil { + return nil, false, err + } + continue + } + return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory) + } + if len(certChains) == 0 { + return nil, usingTestCA, fmt.Errorf("no certificate chains") + } + break } preferredChain := am.selectPreferredChain(certChains) From 803ea27193c829ad47148ccb854b8ab9f046e105 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 22 Feb 2024 11:55:33 -0700 Subject: [PATCH 2/2] Emit log when account is missing from ACME server --- acmeissuer.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/acmeissuer.go b/acmeissuer.go index 35fc3b71..3e7a75c2 100644 --- a/acmeissuer.go +++ b/acmeissuer.go @@ -400,6 +400,11 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest, if err != nil { var prob acme.Problem if errors.As(err, &prob) && prob.Type == acme.ProblemTypeAccountDoesNotExist { + am.Logger.Warn("ACME account does not exist on server; attempting to recreate", + zap.Strings("account_contact", client.account.Contact), + zap.String("account_location", client.account.Location), + zap.Object("problem", prob)) + // the account we have no longer exists on the CA, so we need to create a new one; // we could use the same key pair, but this is a good opportunity to rotate keys // (see https://caddy.community/t/acme-account-is-not-regenerated-when-acme-server-gets-reinstalled/22627)