Skip to content

Improve handling of failed ACME account verifications#415

Closed
mkauf wants to merge 1 commit into
icing:masterfrom
mkauf:improve_account_verification
Closed

Improve handling of failed ACME account verifications#415
mkauf wants to merge 1 commit into
icing:masterfrom
mkauf:improve_account_verification

Conversation

@mkauf
Copy link
Copy Markdown
Contributor

@mkauf mkauf commented Mar 20, 2026

When saving the updated ACME account to the disk, don't set directory permissions if they are already correct. Setting directory permissions may fail if the Apache Server is not running as root anymore.

Avoid an endless loop if an ACME account cannot be verified.

Fixes #410

@mkauf
Improve handling of failed ACME account verifications
1e7716d 
When saving the updated ACME account to the disk, don't set directory
permissions if they are already correct. Setting directory permissions may
fail if the Apache Server is not running as root anymore.

Avoid an endless loop if an ACME account cannot be verified.

Fixes icing#410
@mkauf mkauf force-pushed the improve_account_verification branch from f7be1dc to 1e7716d Compare March 20, 2026 13:44
@mkauf
Copy link
Copy Markdown
Contributor Author

mkauf commented Apr 23, 2026

@icing I have tested this manually with a patched Pebble (see below). The updated ACME account status can now be saved to the disk properly.

The endless loop has become less likely with commit a628b6b. If you want, I can remove the endless loop prevention from this PR and create a separate PR for it.

Test patch for pebble:

diff --git a/acme/problems.go b/acme/problems.go
index 7ac8267..f6a5911 100644
--- a/acme/problems.go
+++ b/acme/problems.go
@@ -222,3 +222,9 @@ func AlreadyReplaced(detail string) *ProblemDetails {
                HTTPStatus: http.StatusConflict,
        }
 }
+
+func ForbiddenProblem(detail string) *ProblemDetails {
+       return &ProblemDetails{
+               HTTPStatus: http.StatusForbidden,
+       }
+}
diff --git a/wfe/wfe.go b/wfe/wfe.go
index 05c6d4c..e27c502 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -1084,15 +1084,7 @@ func (wfe *WebFrontEndImpl) UpdateAccount(
        // if this update contains no contacts or deactivated status,
        // simply return the existing account and return early.
        if updateAcctReq.Contact == nil && updateAcctReq.Status != acme.StatusDeactivated {
-               if !postData.postAsGet {
-                       wfe.sendError(acme.MalformedProblem("Use POST-as-GET to retrieve account data instead of doing an empty update"), response)
-                       return
-               }
-               err := wfe.writeJSONResponse(response, http.StatusOK, existingAcct)
-               if err != nil {
-                       wfe.sendError(acme.InternalErrorProblem("Error marshaling account"), response)
-                       return
-               }
+               wfe.sendError(acme.ForbiddenProblem("Test"), response)
                return
        }

@mkauf
Copy link
Copy Markdown
Contributor Author

mkauf commented May 21, 2026

I have split this pull request into #429 and #430.

@mkauf mkauf closed this May 21, 2026
@mkauf mkauf deleted the improve_account_verification branch May 21, 2026 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Saving account data fails when mod_md is not running as root anymore

1 participant

@mkauf