boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

wfe: If JWS validation fails, retry without account cache

Open jprenken opened this issue 11 months ago • 0 comments

After an ACME account's key is rolled over, WFE instances that have cached the account will continue to expect its old key until the cache entry has expired (currently 5s for Let's Encrypt).

We could avoid this by retrying the account lookup once, bypassing the cache, if JWS validation fails. I believe we could:

  • Add an argument to lookupJWK (either a bool or just a whole AccountGetter) that can instruct it to use wfe.sac instead of wfe.accountGetter.
  • Extend wfe2.validJWSForAccount: If validJWSForKey returns berrors.MalformedError("JWS verification error"), retry using that new argument to lookupJWK.

See #8124

jprenken avatar Apr 18 '25 03:04 jprenken