search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
5k stars 289 forks source link

Looking for cause and solution to "config returned for certificate is not nil and points to different cache" error returned in cache.go #292

Closed bbct closed 4 months ago

bbct commented 4 months ago

What is your question?

I've built and installed the acme-dns product, which utilizes your library. I did run it first using sudo (as root) from its original build location, but then followed the instructions to create a systemctl service (perhaps this has something to do with the issue).

When I run it as a service, I get the following in the log file: unable to get configuration to manage certificate; unable to renew with the reason being "config returned for certificate [] is not nil and points to different cache; got 0xc0000b1b20, expected 0xc0000b1c00 (this one)"

I see this error is generated at line 372 of certmagic/cache.go However it is unclear to me what exactly might be the cause of this (why would it be expecting one value but get the other).

What have you already tried?

I have not reviewed the acme-dns code yet. I'm hoping any response explaining what this error means will lead me in the right direction to discovering the cause/solution to this problem.

Include any other information or discussion.

Bonus: What do you use this package for, and does it help you?

acme-dns has an https based API, and it needs to be secured with a valid cert. One option is to use LetsEncrypt, and when selected, it appears to be using your certmagic library to maintain it. It created the cert no problem the first time I ran it, and the cert is in use. But it seems that maintaining it could be an issue given this error. Thanks.

mholt commented 4 months ago

When the cache is maintaining its certificates, it has to get the config for the certificate it is maintaining. The cache has to be provided with a "GetConfigForCert" function that that can do this. The reason it's a function instead of a static field is because the way a certificate is managed can change over time, since certs can be loaded long-term into memory, and the way it is to be managed can be changed from the time it loads to when it is maintained, potentially months later.

Anyway, if that loaded config doesn't reference the same cache, then there's a problem. The caller is probably creating multiple caches and confusing/conflating configs across them.

Sounds like a bug that acme-dns will need to address, or whatever is calling CertMagic.

Closing, since there's nothing actionable here, but we can reopen if there's shown to be a bug in CM.

bbct commented 4 months ago

I'm closing this issue - sorry to bother you. I found that the issue is known in acme-dns (see https://github.com/joohoi/acme-dns/issues/337)

There is a fix available there, not committed to the master yet, but working on it.

mholt commented 4 months ago

Okay, excellent. Thanks!