BUG/MINOR: acme: key not restored upon error in acme_res_certificate()

When receiving the final certificate, it need to be loaded by
ssl_sock_load_pem_into_ckch(). However this function will remove any
existing private key in the struct ckch_store.

In order to fix the issue, the ptr to the key is swapped with a NULL
ptr, and restored once the new certificate is commited.

However there is a discrepancy when there is an error in
ssl_sock_load_pem_into_ckch() fails and the pointer is lost.

This patch fixes the issue by restoring the pointer in the error path.

This must fix issue #2933.
This commit is contained in:
William Lallemand 2025-04-14 10:44:24 +02:00
parent 4a44d592ae
commit 7a43094f8d

View File

@ -636,7 +636,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)
struct http_hdr *hdrs, *hdr;
struct buffer *t1 = NULL, *t2 = NULL;
int ret = 1;
EVP_PKEY *key;
EVP_PKEY *key = NULL;
hc = ctx->hc;
if (!hc)
@ -679,6 +679,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)
/* restore the key */
ctx->store->data->key = key;
key = NULL;
if (acme_update_certificate(task, ctx, errmsg) != 0)
goto error;
@ -687,6 +688,8 @@ out:
ret = 0;
error:
if (key)
ctx->store->data->key = key;
free_trash_chunk(t1);
free_trash_chunk(t2);
httpclient_destroy(hc);
@ -1674,9 +1677,9 @@ retry:
int i;
for (i = 0; i < ACME_RETRY - ctx->retries; i++)
delay *= 3000;
delay *= 3;
ha_notice("acme: %s, retrying in %dms (%d/%d)...\n", errmsg ? errmsg : "", delay, ACME_RETRY-ctx->retries, ACME_RETRY);
task->expire = tick_add(now_ms, delay);
task->expire = tick_add(now_ms, delay * 1000);
} else {
ha_notice("acme: %s, aborting. (%d/%d)\n", errmsg ? errmsg : "", ACME_RETRY-ctx->retries, ACME_RETRY);