Fix wildcard authorization reuse with DNS-Account-01 #8504
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The RA rejected wildcard authorizations with DNS-Account-01 challenges during reuse, though the PA offers DNS-Account-01 for wildcards. In ra.go:2244-2248, the NewOrder() validation only accepted DNS-01 for wildcards. This check predates DNS-Account-01 wildcard support (added after commit 52615d9). Changes: - Accept both DNS-01 and DNS-Account-01 for wildcard reuse - Split validation into two checks (count vs type) - Add TestNewOrderAuthzReuseDNSAccount01 unit test The bug only affected authorization reuse (not new authorizations), which is why existing tests using random domains didn't expose it.
Adds TestDNSAccount01WildcardAuthorizationReuse to verify that wildcard authorizations with DNS-Account-01 challenges can be reused correctly. The test: - Creates a wildcard order with DNS-Account-01 - Completes the challenge to get a valid authorization - Creates a second order for the same wildcard domain - Verifies the same authorization is reused (same URL) - Verifies the authorization is already valid (no re-validation) - Verifies the DNS-Account-01 challenge type is preserved This test fills a gap in Boulder's integration test coverage - no existing Go integration tests verify authorization reuse end-to-end.
Reverted to single combined check to maintain backward compatibility with existing test expectations. The fix still accepts both DNS-01 and DNS-Account-01 for wildcard authorization reuse, but uses the original generic error message format: "with invalid challenge(s)" This avoids needing to modify existing tests while still fixing the bug.
Add 2 assertions checking that authorization reuse actually occurs: - Order contains exactly one authorization - Authorization ID matches the mock (ID "1") Previously the test only checked for absence of errors, which could pass even if a new authorization was created instead of reusing the existing one.
The RA accepted DNS-Account-01 for wildcard authorization reuse without checking features.Get().DNSAccount01Enabled. Changes: - Add feature flag check in ra.go wildcard validation - Enable flag in TestNewOrderAuthzReuseDNSAccount01 - Add TestNewOrderAuthzReuseDNSAccount01Disabled for flag-off state When disabled, only DNS-01 is accepted for wildcard authorization reuse. When enabled, both DNS-01 and DNS-Account-01 are accepted.
beautifulentropy
approved these changes
Dec 10, 2025
jprenken
previously approved these changes
Dec 10, 2025
beautifulentropy
requested changes
Dec 10, 2025
Refactor wildcard authorization validation: - Split gnarly conditional into nested checks - Extract chall and dnsAccount01Enabled variables - Separate error message for unexpected challenge count - Update test expectation for new error message Test improvements: - Change final assertions to t.Errorf() (non-fatal) - Add error logging to cleanup functions - Prevent panics from nil-value derefs in test setup
Use t.Fatal(err) to match existing Boulder test patterns for chall-test-srv-client cleanup.
Contributor
Author
|
@beautifulentropy thanks for the review! I addressed all three items:
Ready for re-review. |
jprenken
previously approved these changes
Dec 11, 2025
aarongable
requested changes
Dec 11, 2025
Pending wildcard authorizations can have 2 challenges (DNS-01 + DNS-Account-01) when DNS-Account-01 is enabled. Previous check rejected these valid authorizations. Changes: - Allow maxChallenges=2 for pending authz when feature enabled - Validate all challenges in list (not just first) - Update test to use pending authz with both challenge types
Contributor
Author
|
@aarongable thanks for catching this! Fixed:
Ready for re-review. |
aarongable
reviewed
Dec 11, 2025
Trust the PA/SA to handle challenge counts correctly and only verify that wildcard authzs don't contain invalid challenge types.
aarongable
previously approved these changes
Dec 11, 2025
jprenken
previously approved these changes
Dec 11, 2025
jprenken
approved these changes
Dec 11, 2025
aarongable
approved these changes
Dec 11, 2025
beautifulentropy
approved these changes
Dec 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The RA rejected wildcard authorizations with DNS-Account-01 challenges during reuse. This fix accepts both DNS-01 and DNS-Account-01 for wildcard authorization reuse.
Root Cause
In
ra/ra.go:2244-2248, theNewOrder()validation only accepted DNS-01 for wildcards. This check was added in commit 52615d9 before DNS-Account-01 wildcard support existed.Changes
Why Tests Missed This
The bug only affects authorization reuse, not new authorizations. Existing tests use random domains for each order, preventing reuse.
Test Coverage
Unit test
TestNewOrderAuthzReuseDNSAccount01verifies the validation logic accepts DNS-Account-01.Integration test
TestDNSAccount01WildcardAuthorizationReuseverifies end-to-end authorization reuse:Fixes #8505