search

nginx / njs-acme

Nginx NJS module runtime to work with ACME providers like Let's Encrypt for automated no-reload TLS certificate issue/renewal.
Apache License 2.0
57 stars 9 forks source link

Error in cert reissue leaves mismatched cert/key #52

Closed zsteinkamp closed 5 months ago

zsteinkamp commented 5 months ago

Describe the bug

When renewing a cert, we generate a new key + CSR at the beginning of the process. The new .key immediately replaces the existing .key file. If there is a problem in communication with the ACME provider, then the system is left in a state with a new .key and and old .crt, which does not work. If the server is restarted in this state, then HTTPS does not work at all.

To reproduce

Steps to reproduce the behavior:

1) Add an invalid hostname (i.e. does not resolve) to the njs_acme_server_names variable. 2) Restart/reload nginx 3) Observe njs-acme trying to request a new cert and receiving a failure notif from the ACME provider. 4) Observe that the .crt file is old, but the .key file is new, and that nginx no longer properly handles https requests due to the mismatch. (ls -l /etc/nginx/njs-acme/)

To fix the problem, the cert, key, and csr files need to be removed. njs-acme will then re-request the certs and all is well. For example, in the Docker container that this project builds, this needs to be run:

docker compose exec nginx -- rm /etc/nginx/njs-acme/*.{crt,key,csr}

Expected behavior

A failure in renewing a cert should emit an error in the logs, but not disturb the existing .crt/.key files and shared dict entries (if applicable).

Your environment

Running in docker compose up in the njs-acme repo.