Fix wildcard authorization reuse with DNS-Account-01#14
Closed
Fix wildcard authorization reuse with DNS-Account-01#14
Conversation
The RA rejected wildcard authorizations with DNS-Account-01 challenges during reuse, though the PA offers DNS-Account-01 for wildcards. In ra.go:2244-2248, the NewOrder() validation only accepted DNS-01 for wildcards. This check predates DNS-Account-01 wildcard support (added after commit 52615d9). Changes: - Accept both DNS-01 and DNS-Account-01 for wildcard reuse - Split validation into two checks (count vs type) - Add TestNewOrderAuthzReuseDNSAccount01 unit test The bug only affected authorization reuse (not new authorizations), which is why existing tests using random domains didn't expose it.
Adds TestDNSAccount01WildcardAuthorizationReuse to verify that wildcard authorizations with DNS-Account-01 challenges can be reused correctly. The test: - Creates a wildcard order with DNS-Account-01 - Completes the challenge to get a valid authorization - Creates a second order for the same wildcard domain - Verifies the same authorization is reused (same URL) - Verifies the authorization is already valid (no re-validation) - Verifies the DNS-Account-01 challenge type is preserved This test fills a gap in Boulder's integration test coverage - no existing Go integration tests verify authorization reuse end-to-end.
Reverted to single combined check to maintain backward compatibility with existing test expectations. The fix still accepts both DNS-01 and DNS-Account-01 for wildcard authorization reuse, but uses the original generic error message format: "with invalid challenge(s)" This avoids needing to modify existing tests while still fixing the bug.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The RA rejected wildcard authorizations with DNS-Account-01 challenges during reuse. This fix accepts both DNS-01 and DNS-Account-01 for wildcard authorization reuse.
Root Cause
In
ra/ra.go:2244-2248, theNewOrder()validation only accepted DNS-01 for wildcards. This check was added in commit 52615d9 before DNS-Account-01 wildcard support existed.Changes
TestNewOrderAuthzReuseDNSAccount01unit testTestDNSAccount01WildcardAuthorizationReuseintegration testWhy Tests Missed This
The bug only affects authorization reuse, not new authorizations. Existing tests use random domains for each order, preventing reuse.
Test Coverage
Unit test:
TestNewOrderAuthzReuseDNSAccount01verifies the validation logic accepts DNS-Account-01Integration test:
TestDNSAccount01WildcardAuthorizationReuseverifies end-to-end authorization reuse:This is the first Go integration test to explicitly verify authorization reuse in Boulder.