-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certbot performs challenge even when reusing valid authz #5342
Comments
@bmw thoughts? |
I'm actually a little surprised we didn't already have an issue about this. Thanks a lot for opening one. Much of Certbot's core ACME functionality hasn't changed in a long time (with the exception of ongoing work now for ACMEv2) and instead we've been focusing on building more stuff on top of it. When the relevant code here was written, no one was talking about authz reuse and the new-authz endpoint always returned a new authz with pending challenges. I agree it's usually harmless, but is an unfortunate burden for people doing things manually. We probably won't get to this in the next couple months and we're focusing on other things (like getting our automated DNS plugins packaged), but we certainly want to fix this at some point. If someone is interested in writing a PR, the relevant code here is in |
In response to #5342. Currently, certbot will execute the operations necessary to validate a challenge even if the challenge has already been validated before against the acme ca server. This can occur for instance if a certificate is asked and issue correctly, then deleted locally, then asked again. It is a corner case, but it will lead to some heavy operations (like updating a DNS zone, or creating an HTTP server) that are not needed. This PR corrects this behavior by not executing challenges already validated, and use them directly instead to issue the certificate. Fixes #5342 * Avoid to execute a given challenge that have been already validated by acme ca server. * Execute tls challenge on a separate dns name, to avoid reusing the existing valid http challenge. * Align with master * Improve log * Simplify the implementation * Update changelog * Add a unit test to ensure that validated challenges are not rerun
My operating system is (include version):
Ubuntu 16.04 (x86-64)
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
certbot-auto
I ran this command and it produced this output:
Certbot's behavior differed from what I expected because:
The second time, even though Let's Encrypt returned a valid authz, Certbot still created the challenge file and
POST
ed to the/acme/challenge
endpoint despite it being unnecessary.It's harmless for automated usage, but unfortunate for people using manual mode and suffering through a cumbersome file upload or DNS update process.
Here is a Certbot log showing the issue (if available):
Logs are stored in
/var/log/letsencrypt
by default. Feel free to redact domains, e-mail and IP addresses as you see fit.Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
The text was updated successfully, but these errors were encountered: