acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard
verified publisher icon acmesh-official

Renewals don't handle empty Le_Keylength values properly

Open cboylan opened this issue 3 years ago • 2 comments

Steps to reproduce

Run an acme.sh --issue (our setup uses DNS and we do an issue even when renewing to get the DNS shared token record which we add to DNS then run acme.sh --renew after verification) against a key that already exists as part of the renewal process. This fails because it tries to create the domain key even though it exists. Upon further inspection this appears to happen because issue() is called with $_key_length set to $DEFAULT_DOMAIN_KEY_LENGTH which is 2048 but the Le_Keylength retrieved here https://github.com/acmesh-official/acme.sh/blob/dev/acme.sh#L4409 is an empty string. This causes the $_key_length != $_keycheck to trip and call createDomainKey(). This call fails because we have not passed in the --force flag.

I believe this problem was introduced by 64847afc3ff8cfe214aca7db7f793d96bee95e5e. I also believe this problem exists when calling acme.sh --renew as renew() converts and empty Le_Keylength to 2048 before calling issue(). There is another issue with renew() where it doesn't seem to fetch Le_Keylength from the config file first which means it is always an empty value overridden to 2048.

To fix these issues I believe that issue() needs to convert an empty Le_Keylength to 2048 before doing the createDomainKey checks. We also need to fetch Le_Keylength from the config file in renew() before passing the information to issue().

I will create a PR that does this.

Debug log

acme.sh --server letsencrypt --cert-home /etc/letsencrypt-certs --no-color --yes-I-know-dns-manual-mode-enough-go-ahead-please --issue --dns --challenge-alias acme.ourdomain.tld

[Tue May 10 04:10:27 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue May 10 04:10:27 UTC 2022] Creating domain key
[Tue May 10 04:10:27 UTC 2022] Domain key exists, do you want to overwrite the key?
[Tue May 10 04:10:27 UTC 2022] Add '--force', and try again.
[Tue May 10 04:10:27 UTC 2022] Create domain key error.
[Tue May 10 04:10:27 UTC 2022] Please add '--debug' or '--log' to check more details.
[Tue May 10 04:10:27 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

cboylan avatar May 10 '22 17:05 cboylan

As a workaround to this I think you can manually edit the key config file to set Le_Keylength to "2048". Neither the workaround or the PR have been tested locally as I'm not quite sure how to update our config management to express those changes yet.

cboylan avatar May 10 '22 17:05 cboylan

thanks, merged.

Neilpang avatar May 11 '22 01:05 Neilpang