Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client.py:obtain_certificate_from_csr should ensure that a chain is returned or cause certbot to fail #4196

Closed
ohemorange opened this issue Feb 9, 2017 · 3 comments
Closed

client.py:obtain_certificate_from_csr should ensure that a chain is returned or cause certbot to fail #4196

ohemorange opened this issue Feb 9, 2017 · 3 comments
Labels
area: ui / ux good first issue

Comments

@ohemorange
Copy link
Contributor

It should not successfully return a certificate without its chain. We can do this by retrying acme.fetch_chain once, then telling the user to rerun with the path to where we saved the cert after fixing the network.

This is bad because if we only tell users about the cert, they won't know to also get the chain and concat the files to make the fullchain, and they'll accidentally use the cert file, which causes that weird failure mode in modern browsers.
@ohemorange ohemorange added this to the Wishlist milestone Feb 9, 2017
@ohemorange
Copy link
Contributor Author

See https://github.com/certbot/certbot/blob/master/certbot/client.py#L245.

The problem is that there are two network calls, acme.request_issuance and acme.fetch_chain. If the first one succeeds but the second one fails, we should in some way make sure the second call is retried rather than failing silently. This could be addressed by some combination of waiting, retrying, informing the user, and waiting for user input.

@ohemorange
Copy link
Contributor Author

One possible way to address this is demonstrated in #4113.

@dhuang
Copy link
Contributor

dhuang commented Mar 18, 2017

Working on this.

dhuang added a commit to dhuang/certbot that referenced this issue Mar 18, 2017
@dhuang
Retry fetch chain errors(certbot#4196)
14f5ca4
dhuang added a commit to dhuang/certbot that referenced this issue Mar 18, 2017
@dhuang
Retry fetch chain errors(certbot#4196)
5d50228
dhuang added a commit to dhuang/certbot that referenced this issue Mar 18, 2017
@dhuang
Retry fetch chain errors (certbot#4196)
2826b10
dhuang added a commit to dhuang/certbot that referenced this issue Mar 18, 2017
@dhuang
Retry fetch chain errors (certbot#4196)
1c172fb
@dhuang dhuang mentioned this issue Mar 18, 2017
Merged
@bmw bmw closed this as completed in #4383 Mar 19, 2017
bmw pushed a commit that referenced this issue Mar 19, 2017
@dhuang @bmw
Retry fetch chain errors (#4196) (#4383)
d54d3eb 
* Retry fetch chain errors (#4196)

* Trying to avoid confusing pylint

* Pylint disable

* Typo certz->certr

* Move pylint disable, log when fetch chain fails
@bmw bmw removed this from the Wishlist milestone Jun 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: ui / ux good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ohemorange @dhuang @void-elf @bmw