Retry without 'replaces' field when appropriate (#50)

oliverpool · web-flow · commit ddffee86f127 · 2026-02-12T09:36:45.000-07:00
* test: add replace test * Retry without replaces-field when appropriate Fixes caddyserver/certmagic#361
diff --git a/acme/problem.go b/acme/problem.go
@@ -133,6 +133,7 @@ const (
 	ProblemTypeNamespace = "urn:ietf:params:acme:error:"
 
 	ProblemTypeAccountDoesNotExist     = ProblemTypeNamespace + "accountDoesNotExist"
+	ProblemTypeAlreadyReplaced         = ProblemTypeNamespace + "alreadyReplaced"
 	ProblemTypeAlreadyRevoked          = ProblemTypeNamespace + "alreadyRevoked"
 	ProblemTypeBadCSR                  = ProblemTypeNamespace + "badCSR"
 	ProblemTypeBadNonce                = ProblemTypeNamespace + "badNonce"
diff --git a/client.go b/client.go
@@ -133,6 +133,15 @@ func (c *Client) ObtainCertificate(ctx context.Context, params OrderParameters)
 		// create order for a new certificate
 		order, err = c.Client.NewOrder(ctx, params.Account, order)
 		if err != nil {
+			var problem acme.Problem
+			if errors.As(err, &problem) {
+				if problem.Type == acme.ProblemTypeAlreadyReplaced && order.Replaces != "" {
+					// retry without replace
+					// https://github.com/caddyserver/certmagic/issues/361
+					order.Replaces = ""
+					continue
+				}
+			}
 			return nil, fmt.Errorf("creating new order: %w", err)
 		}
 
diff --git a/go.mod b/go.mod
@@ -1,12 +1,21 @@
 module github.com/mholt/acmez/v3
 
-go 1.21.0
-
-toolchain go1.23.1
+go 1.24.0
 
 require (
-	golang.org/x/crypto v0.27.0
-	golang.org/x/net v0.29.0
+	code.pfad.fr/check v1.1.0
+	github.com/letsencrypt/pebble/v2 v2.9.1-0.20260116233549-fcc2230629f9
+	golang.org/x/crypto v0.38.0
+	golang.org/x/net v0.40.0
 )
 
-require golang.org/x/text v0.18.0 // indirect
+require (
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/letsencrypt/challtestsrv v1.3.2 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -1,6 +1,36 @@
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
+code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/letsencrypt/challtestsrv v1.3.2 h1:pIDLBCLXR3B1DLmOmkkqg29qVa7DDozBnsOpL9PxmAY=
+github.com/letsencrypt/challtestsrv v1.3.2/go.mod h1:Ur4e4FvELUXLGhkMztHOsPIsvGxD/kzSJninOrkM+zc=
+github.com/letsencrypt/pebble/v2 v2.9.0 h1:xlgphcCRBNUfBi8Gh3ZKbB4mujCr96JWUGvfk2jkJLA=
+github.com/letsencrypt/pebble/v2 v2.9.0/go.mod h1:+ShT/VIcv1/Z2APBfYhLrtIwIl+fU2AUDFk49pXf63Q=
+github.com/letsencrypt/pebble/v2 v2.9.1-0.20260116233549-fcc2230629f9 h1:L8Ck0oH2tzZfe0lyHfF2Nnufw4oJKbgzze+KQVEDu/E=
+github.com/letsencrypt/pebble/v2 v2.9.1-0.20260116233549-fcc2230629f9/go.mod h1:+ShT/VIcv1/Z2APBfYhLrtIwIl+fU2AUDFk49pXf63Q=
+github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
diff --git a/pebble_test.go b/pebble_test.go
@@ -0,0 +1,167 @@
+// Copyright 2026 oliverpool
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package acmez_test
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"io"
+	"log"
+	"log/slog"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"sync/atomic"
+	"testing"
+
+	"code.pfad.fr/check"
+	"github.com/letsencrypt/pebble/v2/ca"
+	"github.com/letsencrypt/pebble/v2/db"
+	"github.com/letsencrypt/pebble/v2/va"
+	"github.com/letsencrypt/pebble/v2/wfe"
+	"github.com/mholt/acmez/v3"
+	"github.com/mholt/acmez/v3/acme"
+)
+
+func newHttpSolver(t *testing.T) (port int, solver acmez.Solver) {
+	hsolver := &httpSolver{}
+	s := httptest.NewServer(hsolver)
+	t.Cleanup(s.Close)
+
+	hostPort := s.Listener.Addr().String()
+	_, sport, err := net.SplitHostPort(hostPort)
+	check.Equal(t, nil, err)
+	port, err = strconv.Atoi(sport)
+	check.Equal(t, nil, err)
+
+	return port, hsolver
+}
+
+type httpSolver struct {
+	challenge atomic.Pointer[acme.Challenge]
+}
+
+// ServeHTTP implements http.Handler.
+func (h *httpSolver) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	chal := h.challenge.Load()
+	if chal == nil || r.URL.Path != chal.HTTP01ResourcePath() || r.Method != http.MethodGet {
+		http.NotFound(w, r)
+		return
+	}
+	w.Header().Add("Content-Type", "text/plain")
+	w.Write([]byte(chal.KeyAuthorization))
+}
+
+// Present implements Solver.
+func (h *httpSolver) Present(ctx context.Context, chal acme.Challenge) error {
+	h.challenge.Store(&chal)
+	return nil
+}
+
+// CleanUp implements Solver.
+func (h *httpSolver) CleanUp(context.Context, acme.Challenge) error {
+	h.challenge.Store(nil)
+	return nil
+}
+
+func TestAlreadyReplaced(t *testing.T) {
+	solverPort, solver := newHttpSolver(t)
+	client := newAcmeClient(t, solverPort, 0)
+	c := acmez.Client{
+		Client: client,
+		ChallengeSolvers: map[string]acmez.Solver{
+			"http-01": solver,
+		},
+	}
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	check.Equal(t, nil, err)
+	account, err := c.NewAccount(t.Context(), acme.Account{
+		TermsOfServiceAgreed: true,
+		PrivateKey:           privateKey,
+	})
+	check.Equal(t, nil, err)
+
+	certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	check.Equal(t, nil, err)
+	sans := []string{"127.0.0.1"}
+
+	// initial cert
+	initialCerts, err := c.ObtainCertificateForSANs(t.Context(), account, certKey, sans)
+	check.Equal(t, nil, err)
+	block, _ := pem.Decode(initialCerts[0].ChainPEM)
+	toReplace, err := x509.ParseCertificate(block.Bytes)
+	check.Equal(t, nil, err)
+
+	{
+		// initial relacement
+		csr, err := acmez.NewCSR(certKey, sans)
+		check.Equal(t, nil, err)
+		params, err := acmez.OrderParametersFromCSR(account, csr)
+		check.Equal(t, nil, err)
+		params.Replaces = toReplace
+		_, err = c.ObtainCertificate(t.Context(), params)
+		check.Equal(t, nil, err)
+	}
+
+	{
+		// second replacement (of the same certificate)
+		csr, err := acmez.NewCSR(certKey, sans)
+		check.Equal(t, nil, err)
+		params, err := acmez.OrderParametersFromCSR(account, csr)
+		check.Equal(t, nil, err)
+		params.Replaces = toReplace
+		_, err = c.ObtainCertificate(t.Context(), params)
+		check.Equal(t, nil, err)
+	}
+}
+
+func newAcmeClient(t *testing.T, httpPort, tlsPort int) *acme.Client {
+	s := newPebbleServer(t, httpPort, tlsPort)
+	return &acme.Client{
+		Directory:  s.URL + wfe.DirectoryPath,
+		HTTPClient: s.Client(),
+		// Logger: slog.New(slog.NewTextHandler(t.Output(), nil)),
+		Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+	}
+}
+
+func newPebbleServer(t *testing.T, httpPort, tlsPort int) *httptest.Server {
+	t.Setenv("PEBBLE_VA_NOSLEEP", "1") // https://github.com/letsencrypt/pebble/blob/23ab0beb482ac4760d7f3064141128a74d0d9430/va/va.go#L51
+	// logger := log.New(t.Output(), "test", log.Llongfile)
+	logger := log.New(io.Discard, "test", log.Llongfile)
+	db := db.NewMemoryStore()
+	keyAlg := "rsa"
+	alternateRoots := 0
+	chainLength := 1
+	profiles := map[string]ca.Profile{
+		"default": {
+			Description:    "The default profile",
+			ValidityPeriod: 0, // Will be overridden by the CA's default
+		},
+	}
+	ca := ca.New(logger, db, "", keyAlg, alternateRoots, chainLength, profiles)
+	va := va.New(logger, httpPort, tlsPort, true, "", db)
+	wfeImpl := wfe.New(logger, db, va, ca, true, false, 0, 0)
+
+	s := httptest.NewUnstartedServer(wfeImpl.Handler())
+	s.StartTLS()
+	t.Cleanup(s.Close)
+	return s
+}
