certmagic icon indicating copy to clipboard operation
certmagic copied to clipboard
verified publisher icon caddyserver

HTTP 409 "Conflict" when the certificate identified by 'replaces' has already been replaced

Open vmihailenco opened this issue 1 month ago • 4 comments

What version of the package are you using?

v0.25.0

What are you trying to do?

I've been hit by https://github.com/ietf-wg-acme/acme-ari/issues/56 . I see the comment on the thread indicating that nothing can be done on the client, but the error message indicates otherwise and there PRs like this.

What steps did you take?

I had to manually remove existing certificates from the storage to let the renewal proceed.

What did you expect to happen, and what actually happened instead?

The certificate must be renewed. Instead, the certificate expired and could not renewed.

How do you think this should be fixed?

Either https://github.com/go-acme/lego/pull/2475/files or just deleting broken certificates from the storage.

Please link to any related issues, pull requests, and/or discussion

https://github.com/ietf-wg-acme/acme-ari/issues/56 https://github.com/go-acme/lego/pull

Bonus: What do you use CertMagic for, and do you find it useful?

👍

vmihailenco avatar Nov 27 '25 07:11 vmihailenco

Can confirm that we are hitting the same issue

zllovesuki avatar Nov 28 '25 04:11 zllovesuki

Interesting... here's our logic regarding that:

	// Notify the ACME server we are replacing a certificate (if the caller says we are),
	// only if the following conditions are met:
	// - The caller has set a Replaces value in the context, indicating this is a renewal.
	// - Not using test CA. This should be obvious, but a test CA should be in a separate
	// environment from production, and thus not have knowledge of the cert being replaced.
	// - Not a certain attempt number. We skip setting Replaces once early on in the retries
	// in case the reason the order is failing is only because there is a state inconsistency
	// between client and server or some sort of bookkeeping error with regards to the certID
	// and the server is rejecting the ARI certID. In any case, an invalid certID may cause
	// orders to fail. So try once without setting it.
	if !am.config.DisableARI && !usingTestCA && attempts != 2 {
		if replacing, ok := ctx.Value(ctxKeyARIReplaces).(*x509.Certificate); ok {
			params.Replaces = replacing
		}
	}

In other words, on the 3rd attempt we try to get the certificate without "replaces" specified. Do you have the debug logs I can examine to verify that this is actually the problem, and not something else?

mholt avatar Dec 04 '25 04:12 mholt

I don’t have the logs anymore, but as far as I remember there were no indications that CertMagic was performing retries — for example, there were no messages like “retry #123” in the logs.

And I can easily imagine why a single retry without replaces might fail...

vmihailenco avatar Dec 06 '25 08:12 vmihailenco

That seems very unlikely, CertMagic has retries built in if there's any errors. I would need to see the (full) logs in order to fix this if there's a bug.

mholt avatar Dec 08 '25 16:12 mholt