Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certbot performs challenge even when reusing valid authz #5342

Closed
mnordhoff opened this issue Dec 20, 2017 · 2 comments
Closed

Certbot performs challenge even when reusing valid authz #5342

mnordhoff opened this issue Dec 20, 2017 · 2 comments
Assignees
@adferrand
Labels
area: code health area: ui / ux has pr
Milestone
0.31.0

Comments

@mnordhoff
Copy link
Contributor

My operating system is (include version):

Ubuntu 16.04 (x86-64)

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

certbot-auto

I ran this command and it produced this output:

$ sudo -H certbot certonly --staging --webroot -w /srv/www/certbot -d 2017-12-20.clover.letsencrypt.mattnordhoff.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 2017-12-20.clover.letsencrypt.mattnordhoff.net
Using the webroot path /srv/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/2017-12-20.clover.letsencrypt.mattnordhoff.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/2017-12-20.clover.letsencrypt.mattnordhoff.net/privkey.pem
   Your cert will expire on 2018-03-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

$ sudo -H certbot delete --cert-name 2017-12-20.clover.letsencrypt.mattnordhoff.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Deleted all files relating to certificate
2017-12-20.clover.letsencrypt.mattnordhoff.net.
-------------------------------------------------------------------------------

$ sudo -H certbot certonly --staging --webroot -w /srv/www/certbot -d 2017-12-20.clover.letsencrypt.mattnordhoff.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 2017-12-20.clover.letsencrypt.mattnordhoff.net
Using the webroot path /srv/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/2017-12-20.clover.letsencrypt.mattnordhoff.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/2017-12-20.clover.letsencrypt.mattnordhoff.net/privkey.pem
   Your cert will expire on 2018-03-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Certbot's behavior differed from what I expected because:

The second time, even though Let's Encrypt returned a valid authz, Certbot still created the challenge file and POSTed to the /acme/challenge endpoint despite it being unnecessary.

It's harmless for automated usage, but unfortunate for people using manual mode and suffering through a cumbersome file upload or DNS update process.

Here is a Certbot log showing the issue (if available):

Logs are stored in /var/log/letsencrypt by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
@SwartzCr
Copy link
Contributor

@bmw thoughts?

@bmw
Copy link
Member

bmw commented Dec 21, 2017

I'm actually a little surprised we didn't already have an issue about this. Thanks a lot for opening one.

Much of Certbot's core ACME functionality hasn't changed in a long time (with the exception of ongoing work now for ACMEv2) and instead we've been focusing on building more stuff on top of it. When the relevant code here was written, no one was talking about authz reuse and the new-authz endpoint always returned a new authz with pending challenges.

I agree it's usually harmless, but is an unfortunate burden for people doing things manually. We probably won't get to this in the next couple months and we're focusing on other things (like getting our automated DNS plugins packaged), but we certainly want to fix this at some point. If someone is interested in writing a PR, the relevant code here is in certbot/auth_handler.py.

@bmw bmw removed the area: acme label Dec 21, 2017
@bmw bmw added this to the 1.0.0 milestone Dec 21, 2017
@mnordhoff mnordhoff mentioned this issue May 24, 2018
Closed
@adferrand adferrand mentioned this issue Dec 3, 2018
Merged
@bmw bmw added the has pr label Jan 2, 2019
@bmw bmw modified the milestones: 1.0.0, 0.31.0 Jan 9, 2019
@bmw bmw closed this as completed in #6551 Jan 9, 2019
bmw pushed a commit that referenced this issue Jan 9, 2019
@adferrand @bmw
[Windows|Unix] Avoid to re-execute challenges already validated (#6551)
8cf3bcd 
In response to #5342.

Currently, certbot will execute the operations necessary to validate a challenge even if the challenge has already been validated before against the acme ca server. This can occur for instance if a certificate is asked and issue correctly, then deleted locally, then asked again.

It is a corner case, but it will lead to some heavy operations (like updating a DNS zone, or creating an HTTP server) that are not needed.

This PR corrects this behavior by not executing challenges already validated, and use them directly instead to issue the certificate.

Fixes #5342

* Avoid to execute a given challenge that have been already validated by acme ca server.

* Execute tls challenge on a separate dns name, to avoid reusing the existing valid http challenge.

* Align with master

* Improve log

* Simplify the implementation

* Update changelog

* Add a unit test to ensure that validated challenges are not rerun
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adferrand adferrand

Labels
area: code health area: ui / ux has pr
Projects
None yet
Milestone
0.31.0
Development

No branches or pull requests
4 participants
@SwartzCr @mnordhoff @bmw @adferrand