Page MenuHomePhabricator

LE rejects issuing two certificates with the same CSR on a short timespan
Closed, ResolvedPublic

Description

We've seen that LetsEncrypt rejects issuing two different certificates for the same CSR under the same account even if the private key for the certificate is different.

I've been able to trigger this manually here: https://phabricator.wikimedia.org/P7711:

  1. A new certificate for pinkunicorn / ec-prime256v1 is requested in line 8
  2. in line 16 shows that the certificate has been issued as expected
  3. in line 17 requests a new certificate with a new private key (https://github.com/wikimedia/certcentral/blob/master/certcentral/certcentral.py#L393-L395) for pink unicorn / ec-prime256v1
  4. this time in line 25 instead of getting CertificateStatus.VALID we end up with CertificateStatus.CHALLENGES_PUSHED
  5. We attempt to handle the CHALLENGES_PUSHED status in line 26 but we end with a 400 response from LE, notifying us that the order is already in "valid" status and we shouldn't ask for an order finalization.

Currently this results in an infinite loop in certcentral, on every certificate_management() loop iteration, it's going to attempt to get the certificate, and LE would always reply with the same 400 error.

Taking into account that currently certcentral1001 and certcentral2001 share the same LE account, this collision could happen between servers.

This issue could be fixed partially by T207478, but only relaying on T207478 would result in delayed certificate issuance in some scenarios

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 23 2018, 10:36 AM
Vgutierrez triaged this task as Medium priority.Oct 23 2018, 10:36 AM

Change 469446 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Avoid getting stuck on CHALLENGES_PUSHED status

https://gerrit.wikimedia.org/r/469446

Change 469446 merged by Vgutierrez:
[operations/software/certcentral@master] certcentral: Avoid getting stuck on CHALLENGES_PUSHED status

https://gerrit.wikimedia.org/r/469446

Change 469459 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.3 including the following changes:

https://gerrit.wikimedia.org/r/469459

Change 469459 merged by jenkins-bot:
[operations/software/certcentral@master] Release 0.3

https://gerrit.wikimedia.org/r/469459

Change 469461 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Avoid getting stuck on CHALLENGES_PUSHED status

https://gerrit.wikimedia.org/r/469461

Change 469462 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.3

https://gerrit.wikimedia.org/r/469462

Change 469461 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Avoid getting stuck on CHALLENGES_PUSHED status

https://gerrit.wikimedia.org/r/469461

Change 469462 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.3

https://gerrit.wikimedia.org/r/469462

Change 469464 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.3 to changelog

https://gerrit.wikimedia.org/r/469464

Change 469464 merged by Vgutierrez:
[operations/software/certcentral@debian] debian: Add release 0.3 to changelog

https://gerrit.wikimedia.org/r/469464

Mentioned in SAL (#wikimedia-operations) [2018-10-25T07:16:28Z] <vgutierrez> Uploaded certcentral 0.3 to apt.wikimedia.org (stretch) - T207737 T207478

Vgutierrez closed this task as Resolved.Nov 6 2018, 1:12 PM
Vgutierrez claimed this task.