-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clear pending authorizations #70
Comments
https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.5.2
POST /acme/authz/1234 HTTP/1.1
Host: example.com
Content-Type: application/jose+json
{
"protected": base64url({
"alg": "ES256",
"kid": "https://example.com/acme/acct/1",
"nonce": "xWCM9lGbIyCgue8di6ueWQ",
"url": "https://example.com/acme/authz/1234"
}),
"payload": base64url({
"status": "deactivated"
}),
"signature": "srX9Ji7Le9bjszhu...WTFdtujObzMtZcx4"
} |
something like; Line 308 in 7124ae2
But it requires you have the old account_key. |
An alternative approach would be to maintain that state outside the program so that it could start over aware of what is half-done rather than as a newborn amnesic. I'm not sayin' I'm going to do anything like that, but it's worth considering. In fact, now that I think about it, it did NOT have a problem when I had to restart one certificate's request because of a bug in the construction of the ssh command in unbound_ssh. I was more focused on that issue, but sewer-cli (with --account_key, that may have been the key difference?) happily carried on, getting the same challenges, which I did notice as that was part of the cause of the bug. So maybe just dumping the account key early on would be enough state for a recovery... |
@komuw While reviewing open bugs again, I noticed that this appears to be the same issue as #64 - and obviously sewer, at least when run through the CLI, leaks authzs on crashes. Anyway, the Q here is are these in fact the same basic issue, or is there some important difference in some of the many references listed here? (and which ones???) |
if you try to get a cert for a domain, and acme issues a acme_challenge, you add it to DNS
but before acme can validate it you abort operation.
Now, if you try to get a certificate again, you'll get an error:
This is because we already have a pending authorization(for that time we aborted).
Sewer, should attempt to clear all/any pending authz at the start
The text was updated successfully, but these errors were encountered: