Retry with new account if account disappeared remotely

mholt · mholt · commit 5f87aeac2983 · 2024-02-12T14:06:03.000-07:00
diff --git a/account.go b/account.go
@@ -171,6 +171,16 @@ func (am *ACMEIssuer) saveAccount(ctx context.Context, ca string, account acme.A
 	return storeTx(ctx, am.config.Storage, all)
 }
 
+// deleteAccountLocally deletes the registration info and private key of the account
+// for the given CA from storage.
+func (am *ACMEIssuer) deleteAccountLocally(ctx context.Context, ca string, account acme.Account) error {
+	primaryContact := getPrimaryContact(account)
+	if err := am.config.Storage.Delete(ctx, am.storageKeyUserReg(ca, primaryContact)); err != nil {
+		return err
+	}
+	return am.config.Storage.Delete(ctx, am.storageKeyUserPrivateKey(ca, primaryContact))
+}
+
 // setEmail does everything it can to obtain an email address
 // from the user within the scope of memory and storage to use
 // for ACME TLS. If it cannot get an email address, it does nothing
diff --git a/acmeissuer.go b/acmeissuer.go
@@ -393,12 +393,35 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest,
 		}
 	}
 
-	certChains, err := client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr)
-	if err != nil {
-		return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory)
-	}
-	if len(certChains) == 0 {
-		return nil, usingTestCA, fmt.Errorf("no certificate chains")
+	// do this in a loop because there's an error case that may necessitate a retry, but not more than once
+	var certChains []acme.Certificate
+	for i := 0; i < 2; i++ {
+		certChains, err = client.acmeClient.ObtainCertificateUsingCSR(ctx, client.account, csr)
+		if err != nil {
+			var prob acme.Problem
+			if errors.As(err, &prob) && prob.Type == acme.ProblemTypeAccountDoesNotExist {
+				// the account we have no longer exists on the CA, so we need to create a new one;
+				// we could use the same key pair, but this is a good opportunity to rotate keys
+				// (see https://caddy.community/t/acme-account-is-not-regenerated-when-acme-server-gets-reinstalled/22627)
+				// (basically this happens if the CA gets reset or reinstalled; usually just internal PKI)
+				err := am.deleteAccountLocally(ctx, client.iss.CA, client.account)
+				if err != nil {
+					return nil, usingTestCA, fmt.Errorf("%v ACME account no longer exists on CA, but resetting our local copy of the account info failed: %v", nameSet, err)
+				}
+
+				// recreate account and try again
+				client, err = am.newACMEClientWithAccount(ctx, useTestCA, false)
+				if err != nil {
+					return nil, false, err
+				}
+				continue
+			}
+			return nil, usingTestCA, fmt.Errorf("%v %w (ca=%s)", nameSet, err, client.acmeClient.Directory)
+		}
+		if len(certChains) == 0 {
+			return nil, usingTestCA, fmt.Errorf("no certificate chains")
+		}
+		break
 	}
 
 	preferredChain := am.selectPreferredChain(certChains)
