In memory cookie jar for http01 challenge

[arontsang]

I have an ACME server behind a AWS ELB that caddy can't communicate with correctly.

The ELB is round robin load balancing, resulting in the NewNonce coming from the wrong server.

Please can we add an in memory cookie jar to the http client instance used by http01 challenge.

[mholt]

@arontsang Would you please try the cookies branch of CertMagic? See if that helps you out. caddyserver/certmagic#288

[mholt]

Oh, you said you have an ACME server. Nevermind. One minute.

[mholt]

Ok, so that HTTP client actually comes from smallstep/certificates:

https://github.com/smallstep/certificates/blob/e3ba70281138416c89d4314a700d1c6127fd47de/acme/client.go#L53-L69

If there is a way to pass a custom HTTP client in (through context?) I haven't figured that out.

Sorry to redirect you again, but could you open an issue at the Smallstep repo? They will be able to better address this.

(Closing, but feel free to continue discussion if needed!)

[hslatman]

@mholt I think your original PR in CertMagic does in fact what @arontsang is looking for, namely to send cookies (if received from the ELB) in follow up requests to the ACME server.

The HTTP client you're referring to is the one that's used to validate an HTTP challenge (actually, it's a wrapper for HTTP, DNS and TLS-ALPN challenge solving). That client does not operate on nonces, and should generally only fire a single request from behind the load balancer.

[arontsang]

@arontsang Would you please try the cookies branch of CertMagic? See if that helps you out. caddyserver/certmagic#288

@mholt

I'm going to try compile and run this in my corporate environment and see if it fixes the issue.

I'm not a golang dev, so I'm not sure how well it's going to go.😜

[mholt]

Let me know; if that PR does do what you need then I'll recreate it and merge it.

[arontsang]

@mholt

Still getting this issue:

2024/05/23 05:32:13.426 �[34mINFO�[0m   tls.obtain      obtaining certificate   {"identifier": "serverName.redacted.company.com"}
2024/05/23 05:32:15.488 �[31mERROR�[0m  tls.obtain      could not get certificate from issuer   {"identifier": "serverName.redacted.company.com", "issuer": "venafi.foobar-vacme-v2-acme-directory", "error": "[serverName.redacted.company.com] creating new order: attempt 1: https://venafi.foobar/vacme/v2/new-order: HTTP 400: {\"type\":\"urn:ietf:params:acme:error:badNonce\",\"detail\":\"Bad Nonce\",\"status\":400} (ca=https://venafi.foobar/vacme/v2/acme/directory)"}
2024/05/23 05:32:15.488 �[31mERROR�[0m  tls.obtain      will retry      {"error": "[serverName.redacted.company.com] Obtain: [serverName.redacted.company.com] creating new order: attempt 1: https://venafi.foobar/vacme/v2/new-order: HTTP 400: {\"type\":\"urn:ietf:params:acme:error:badNonce\",\"detail\":\"Bad Nonce\",\"status\":400} (ca=https://venafi.foobar/vacme/v2/acme/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 74.1983161, "max_duration": 2592000}

[mholt]

@arontsang So it sounds like a Cookie Jar in the ACME client is not what is needed for your use case.