Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow AcmeServerException to accept multiple Problems #167

Open
cowwoc opened this issue Oct 15, 2024 · 2 comments
Open

Allow AcmeServerException to accept multiple Problems #167

cowwoc opened this issue Oct 15, 2024 · 2 comments

Comments

@cowwoc
Copy link

cowwoc commented Oct 15, 2024

If you order a certificate for multiple domains, you will end up with multiple Problems (one per challenge that failed). Can you please have AcmeServerException accept a list of problems? You can keep the existing methods, if necessary, and have them return the first entry in the list. You can add new methods getTypes() and getProblems() to return the new list.
@shred
Copy link
Owner

shred commented Oct 15, 2024

For errors on multiple identifiers, the CA is supposed to use subproblems (see RFC 8555 Section 6.7.1). Maybe it would be more useful to adapt this, e.g. by collecting all problems into sub-problems of a newly created parent problem.

@cowwoc
Copy link
Author

cowwoc commented Oct 15, 2024
edited
Loading

@shred That sounds like the right way to go. So for reference, I'm using Let's Encrypt's staging server, using the http-01 challenge, and requesting a certificate for two domains (e.g. foo.redacted.com and redacted.com)

In my case, the order.getStatus() returns INVALID but order.getError() returns Optional.empty(). I believe this is a bug (maybe in Let's Encrypt) because if you invoke order.getAuthorizations() you will get two entries, one of which returns this JSON:

{
	"identifier": {
		"type": "dns",
		"value": "foo.redacted.app"
	},
	"status": "invalid",
	"expires": "2024-10-22T16:38:07Z",
	"challenges": [
		{
			"type": "http-01",
			"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14439560183/-pBobg",
			"status": "invalid",
			"validated": "2024-10-15T16:38:07Z",
			"error": {
				"type": "urn:ietf:params:acme:error:connection",
				"detail": "104.247.245.31: Fetching https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo: Connection refused",
				"status": 400
			},
			"token": "JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
			"validationRecord": [
				{
					"url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
					"hostname": "foo.redacted.app",
					"port": "80",
					"addressesResolved": [
						"104.247.245.31",
						"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
					],
					"addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
				},
				{
					"url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
					"hostname": "foo.redacted.app",
					"port": "80",
					"addressesResolved": [
						"104.247.245.31",
						"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
					],
					"addressUsed": "104.247.245.31"
				},
				{
					"url": "https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
					"hostname": "foo.redacted.app",
					"port": "443",
					"addressesResolved": [
						"104.247.245.31",
						"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
					],
					"addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
				}
			]
		}
	]
}

Regardless of who's at fault, it would be better if acme4j returned a Problem with one sub-problem per failed authorization. Agreed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shred @cowwoc