Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: avoid Int63n panic in ShouldRenewAt() #2246

Merged
merged 1 commit into from
Aug 21, 2024
Merged

fix: avoid Int63n panic in ShouldRenewAt() #2246

merged 1 commit into from
Aug 21, 2024

Conversation

robstradling
Copy link
Contributor

https://www.ietf.org/archive/id/draft-ietf-acme-ari-04.html#section-4.2 says:

If the client receives no response or a malformed response (e.g. an end timestamp which is equal to or precedes the start timestamp), it SHOULD make its own determination of when to renew the certificate, and MAY retry the renewalInfo request with appropriate exponential backoff behavior.

Currently when lego encounters an ARI renewal window that specifies "an end timestamp which is equal to or precedes the start timestamp", the following panic occurs:

panic: invalid argument to Int63n

goroutine 1 [running]:
math/rand.(*Rand).Int63n(0x0?, 0x0?)
        math/rand/rand.go:122 +0xcb
math/rand.Int63n(0x0)
        math/rand/rand.go:443 +0x25
github.com/go-acme/lego/v4/certificate.(*RenewalInfoResponse).ShouldRenewAt(0xc001608c80, {0x7d8a241, 0xede57ede7, 0x0}, 0x0)
        github.com/go-acme/lego/v4/certificate/renewal.go:45 +0x1fb
github.com/go-acme/lego/v4/cmd.getARIRenewalTime(0xc001159dc0, 0x3618d8d?, {0xc000e8ac30, 0xa}, 0xc0012a7060?)
        github.com/go-acme/lego/v4/cmd/cmd_renew.go:326 +0x3b4
github.com/go-acme/lego/v4/cmd.renewForDomains(0xc001159dc0, 0xc0012a60e0, 0xc0012b6720, 0x1, 0xc00133f928)
        github.com/go-acme/lego/v4/cmd/cmd_renew.go:145 +0x212
github.com/go-acme/lego/v4/cmd.renew(0xc001159dc0)
        github.com/go-acme/lego/v4/cmd/cmd_renew.go:126 +0x245
github.com/urfave/cli/v2.(*Command).Run(0xc001156dc0, 0xc001159dc0, {0xc0013579a0, 0x2, 0x2})
        github.com/urfave/cli/v2@v2.27.2/command.go:276 +0x97d
github.com/urfave/cli/v2.(*Command).Run(0xc001157340, 0xc001159200, {0xc0001ae000, 0x12, 0x12})
        github.com/urfave/cli/v2@v2.27.2/command.go:269 +0xbb7
github.com/urfave/cli/v2.(*App).RunContext(0xc00017ac00, {0x3a6dd30, 0x5f1d680}, {0xc0001ae000, 0x12, 0x12})
        github.com/urfave/cli/v2@v2.27.2/app.go:333 +0x58b
github.com/urfave/cli/v2.(*App).Run(...)
        github.com/urfave/cli/v2@v2.27.2/app.go:307
main.main()
        github.com/go-acme/lego/v4/cmd/lego/main.go:42 +0x1c7

https://pkg.go.dev/math/rand#Rand.Int63n documents this behaviour: "It panics if n <= 0".

This PR avoids panicking when the renewal window is "malformed", and instead makes "its own determination" that the start timestamp is "when to renew the certificate".

@ldez ldez added the area/ari ACME Renewal Information Extension label Aug 21, 2024
@ldez ldez self-assigned this Aug 21, 2024
@ldez ldez added the bug label Aug 21, 2024
@ldez ldez added this to the v4.18 milestone Aug 21, 2024
ldez
ldez approved these changes Aug 21, 2024
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez enabled auto-merge (squash) August 21, 2024 22:12
@ldez ldez disabled auto-merge August 21, 2024 22:12
@ldez ldez enabled auto-merge (squash) August 21, 2024 22:12
@ldez ldez merged commit 29e98f8 into go-acme:master Aug 21, 2024
4 checks passed
@robstradling robstradling deleted the avoid_int63n_panic branch August 22, 2024 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldez ldez ldez approved these changes

Assignees

@ldez ldez

Labels
area/ari ACME Renewal Information Extension bug
Milestone
v4.18
Development

Successfully merging this pull request may close these issues.
2 participants
@robstradling @ldez