coolaj86
/
acme.js-ARCHIVED
2
1
Fork 0
Code Issues 4 Pull Requests 3 Releases Activity

Deactivate the order in case of failure in setChallenge(me, options, auth); #15

New Issue
Closed
opened 2019-02-14 14:04:45 +00:00 by Ghost · 3 comments
Ghost commented 2019-02-14 14:04:45 +00:00
Copy Link

When calling ACME._setChallenge(me, options, auth);
There is a chance that the promise will be rejected.
In such case the order should be deactivated - if it won't be deactivated it will remain in status pending.

The fix can be something like this:

return ACME._setChallenge(me, options, auth).then(respondToChallenge).catch(async (e) => {
await deactivate();
//rethrow the original error.
throw e;
});

When calling ACME._setChallenge(me, options, auth); There is a chance that the promise will be rejected. In such case the order should be deactivated - if it won't be deactivated it will remain in status `pending`. The fix can be something like this: return ACME._setChallenge(me, options, auth).then(respondToChallenge).catch(async (e) => { await deactivate(); //rethrow the original error. throw e; });
Ghost commented 2019-02-14 15:28:52 +00:00
Author
Copy Link

Another thing that I find is that deactivation is not working. When acme-v2 calls to deactivate it use incorrect url:

the request for deactivating is looked like this:

    var jws = me.RSA.signJws(
        options.accountKeypair
        , undefined
        , { nonce: me._nonce, alg: 'RS256', url: ch.url, kid: me._kid }
        , Buffer.from(JSON.stringify({ "status": "deactivated" }))
    );
    me._nonce = null;
    return me._request({
        method: 'POST'
        , url: ch.url
        , headers: { 'Content-Type': 'application/jose+json' }
        , json: jws
    })

It use the ch.url which is the url of the challenge. and when it post it, lets encrypt think that they now should validate the order, and then the Authorization move to invalid status instead (the challeng was not setisfied) of deatviced

The correct url that should be used is the authorization url, si the request should look like:

    var jws = me.RSA.signJws(
        options.accountKeypair
        , undefined
        , { nonce: me._nonce, alg: 'RS256', url: me._authorizations[0], kid: me._kid }
        , Buffer.from(JSON.stringify({ "status": "deactivated" }))
    );
    me._nonce = null;
    return me._request({
        method: 'POST'
        , url: me._authorizations[0]
        , headers: { 'Content-Type': 'application/jose+json' }
        , json: jws
    })
Another thing that I find is that deactivation is not working. When acme-v2 calls to deactivate it use incorrect url: the request for deactivating is looked like this: var jws = me.RSA.signJws( options.accountKeypair , undefined , { nonce: me._nonce, alg: 'RS256', url: ch.url, kid: me._kid } , Buffer.from(JSON.stringify({ "status": "deactivated" })) ); me._nonce = null; return me._request({ method: 'POST' , url: ch.url , headers: { 'Content-Type': 'application/jose+json' } , json: jws }) It use the ch.url which is the url of the challenge. and when it post it, lets encrypt think that they now should validate the order, and then the Authorization move to invalid status instead (the challeng was not setisfied) of deatviced The correct url that should be used is the authorization url, si the request should look like: var jws = me.RSA.signJws( options.accountKeypair , undefined , { nonce: me._nonce, alg: 'RS256', url: me._authorizations[0], kid: me._kid } , Buffer.from(JSON.stringify({ "status": "deactivated" })) ); me._nonce = null; return me._request({ method: 'POST' , url: me._authorizations[0] , headers: { 'Content-Type': 'application/jose+json' } , json: jws })
coolaj86 commented 2019-04-10 07:49:05 +00:00
Owner
Copy Link

Thanks for digging into this. I haven't made this change yet, but I think we can make quick work of it since you've identified the problem so clearly.

Thank you very much.

Thanks for digging into this. I haven't made this change yet, but I think we can make quick work of it since you've identified the problem so clearly. Thank you very much.
coolaj86 commented 2020-04-21 07:53:06 +00:00
Owner
Copy Link

Fixed in v3.

Fixed in v3.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
v3
v1
wip-v3
browser-v2
errors
v2
skip-valid-challenge
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.2
v3.0.1
v1.8.6
v1.8.5
v1.8.4
v1.8.2
v1.8.1
v1.8.0
v1.7.7
v1.7.6
v1.7.5
v1.7.3
v1.7.2
v1.7.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.3.1
v1.3.0
v1.2.1
v1.2.0
v1.1.1
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v0.6.2
v0.6.1
v0.6.0
v0.0.2
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/acme.js-ARCHIVED#15
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?