fix: migrate ACME DNS credentials when setting fallback certificate#1181
Open
mgrusso wants to merge 1 commit into
Open
fix: migrate ACME DNS credentials when setting fallback certificate#1181mgrusso wants to merge 1 commit into
mgrusso wants to merge 1 commit into
Conversation
When a certificate is promoted to the fallback/default slot via "Set as
Default", the cert files are renamed to default.{pem,key,json}. The ACME
database entries for DNS challenge credentials were keyed by the original
certificate filename, so renewal would fail to locate them under the new
name "default".
Add ACMEHandler.MigrateACMEDNSConfig(oldName, newName) which copies the
_dns_provider, _dns_credentials, and _dns_servers database keys to the
new name and removes the old ones. Call it in tlscert.Manager.SetCertAsDefault
both when promoting a certificate to the fallback slot and when demoting
the previous fallback back to its original name. Wire the AcmeHandler
reference into Manager after both are initialised in start.go.
Fixes tobychui#1124
Collaborator
|
I've reviewed it; this method adds too much complexity, so I won't use it. I will fix this issue in version 3.3.4. |
Owner
|
Hi @zen8841 Are you still working on this recently? If no maybe I can close it for you? |
Collaborator
|
I'm still working on it, and I'll submit PR by the end of this weekend at the latest. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a user clicks Set as Default / Fallback Certificate, the cert files are
renamed from
{hostname}.{pem,key,json}todefault.{pem,key,json}. Howeverthe ACME database entries for DNS challenge credentials remain keyed by the
original hostname:
During auto-renewal (and manual renewal via Renew Now),
renewExpiredDomainsderives the certificate name from the on-disk filename — which is now
default— and looks up
default_dns_provider/default_dns_credentialsin the database.Those keys do not exist, so the renewal fails.
Closes #1124
Solution
ACMEHandler.MigrateACMEDNSConfig(oldName, newName string)which copies_dns_provider,_dns_credentials, and_dns_serversdatabase keys fromoldNametonewNameand removes the originals.tlscert.Manager.SetCertAsDefaultat two points:(
"default"→ original name), so its credentials remain findable.default(certname→"default"),so renewal can look them up by the new filename.
*acme.ACMEHandlerreference ontlscert.Managerand wire it instart.goafter both components are initialised.Test plan
default.*as before.default_dns_provider/default_dns_credentialskeys.with its original credentials intact and renewal works for it too.