This repository was archived by the owner on Nov 24, 2025. It is now read-only.
This repository was archived by the owner on Nov 24, 2025. It is now read-only.
/deliveryservices/sslkeys/generate/letsencrypt doesn't perform checks #4479
Description
I'm submitting a ...
- bug report
- new feature / enhancement request
- improvement request (usability, performance, tech debt, etc.)
- other
Traffic Control components affected ...
- CDN in a Box
- Documentation
- Grove
- Traffic Control Client
- Traffic Monitor
- Traffic Ops
- Traffic Ops ORT
- Traffic Portal
- Traffic Router
- Traffic Stats
- Traffic Vault
- unknown
Current behavior:
When making a POST request to /deliveryservices/sslkeys/generate/letsencrypt the user is allowed to input any value for the cdn, key, and deliverservice keys, even if the cdn, deliveryservice or key doesn't exist.
There are also no tenancy checks performed. This means a user, that has no access to a delivery service outside their tenancy, can still generate SSL certificates for that deliveryservice.
The response returned for any of these requests is:
HTTP/1.1 200 OK
Content-Type: application/json
{
"alerts": [
{
"text": "Beginning async call to Let's Encrypt for doesntexist. This may take a few minutes.",
"level": "info"
}
]
}Expected / new behavior:
Response returned should be one of the following:
HTTP/1.1 404 Not Found
Content-Type: application/json
{
"alerts": [
{
"text": "cdn not found",
"level": "error"
}
]
}OR
HTTP/1.1 404 Not Found
Content-Type: application/json
{
"alerts": [
{
"text": "deliveryservice not found",
"level": "error"
}
]
}OR (Tenancy Case)
HTTP/1.1 403 Forbidden
Content-Type: application/json
{
"alerts": [
{
"text": "not authorized on this tenant",
"level": "error"
}
]
}Minimal reproduction of the problem with instructions:
Anything else:
The error logs show:
ERROR: letsencryptcert.go:187: ...: no DS with name doesntexist