fix(ssl): detect and rebuild stale ACME orders on verify/retry#493
Open
mrrobot47 wants to merge 1 commit into
Open
fix(ssl): detect and rebuild stale ACME orders on verify/retry#493mrrobot47 wants to merge 1 commit into
mrrobot47 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A one-time DNS hiccup or timeout could permanently break SSL for a site. On issuance failure the ACME order/challenge files are left on disk; the user fixes DNS and re-runs
ee site ssl-verify→check()blindly reloads the on-disk order and reuses it. Within ~7 days while the order is stillpendingthis works (and is preserved). But once Let's Encrypt expires the pending order, the reloaded order is dead, validation fails forever, and the site shows a generic "Cannot validate challenge" on every retry — because the retry path never requests a fresh order (onlyinit_lecallsauthorize()).Fix
check()now detects a stale stored order and rebuilds it before validating.isCertificateOrderStale()reloads each domain's authorization from Let's Encrypt and treats the order as stale when an authorization's live status is notpending/valid(expired/deactivated/revoked/invalid), or when the stored order doesn't cover a requested domain. On staleness it removes the dead order + challenge, callsauthorize()for a fresh order, and continues.Safeguards (validated by review):
newOrderslot.Known limitation
If Let's Encrypt fully purges an expired authorization (the reload returns 404 rather than status
expired), the order is not auto-rebuilt — the conservative choice that avoids the transient-error regression above. The common expiry case (statusexpiredon a successful reload) is handled.Testing
Manual (needs the ACME/Docker harness): simulate a stale order (let a pending order expire, or deactivate the authorization server-side), point DNS correctly, then run
ee site ssl-verify→ it requests a fresh order instead of looping. Negative test: with the order stillpending, confirm no rebuild and the normal retry path.