BUG/MINOR: acme: key not restored upon error in acme_res_certificate()

When receiving the final certificate, it need to be loaded by ssl_sock_load_pem_into_ckch(). However this function will remove any existing private key in the struct ckch_store. In order to fix the issue, the ptr to the key is swapped with a NULL ptr, and restored once the new certificate is commited. However there is a discrepancy when there is an error in ssl_sock_load_pem_into_ckch() fails and the pointer is lost. This patch fixes the issue by restoring the pointer in the error path. This must fix issue #2933.
2026-02-27 04:01:45 +01:00 · 2025-04-14 10:44:24 +02:00 · 2025-04-14 10:44:24 +02:00 · 7a43094f8d
commit 7a43094f8d
parent 4a44d592ae
1 changed files with 6 additions and 3 deletions
--- a/src/acme.c
+++ b/src/acme.c
@ -636,7 +636,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)
 	struct http_hdr *hdrs, *hdr;
 	struct buffer *t1 = NULL, *t2 = NULL;
 	int ret = 1;
-	EVP_PKEY *key;
+	EVP_PKEY *key = NULL;

 	hc = ctx->hc;
 	if (!hc)
@ -679,6 +679,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)

 	/* restore the key */
 	ctx->store->data->key = key;
+	key = NULL;

 	if (acme_update_certificate(task, ctx, errmsg) != 0)
 		goto error;
@ -687,6 +688,8 @@ out:
 	ret = 0;

 error:
+	if (key)
+		ctx->store->data->key = key;
 	free_trash_chunk(t1);
 	free_trash_chunk(t2);
 	httpclient_destroy(hc);
@ -1674,9 +1677,9 @@ retry:
 		int i;

 		for (i = 0; i < ACME_RETRY - ctx->retries; i++)
-			delay *= 3000;
+			delay *= 3;
 		ha_notice("acme: %s, retrying in %dms (%d/%d)...\n", errmsg ? errmsg : "", delay, ACME_RETRY-ctx->retries, ACME_RETRY);
-		task->expire = tick_add(now_ms, delay);
+		task->expire = tick_add(now_ms, delay * 1000);

 	} else {
 		ha_notice("acme: %s, aborting. (%d/%d)\n", errmsg ? errmsg : "", ACME_RETRY-ctx->retries, ACME_RETRY);