From: William Lallemand Date: Mon, 14 Apr 2025 08:44:24 +0000 (+0200) Subject: BUG/MINOR: acme: key not restored upon error in acme_res_certificate() X-Git-Tag: v3.2-dev11~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a43094f8d8fe3c435ecc003f07453dd9de8134a;p=thirdparty%2Fhaproxy.git BUG/MINOR: acme: key not restored upon error in acme_res_certificate() When receiving the final certificate, it need to be loaded by ssl_sock_load_pem_into_ckch(). However this function will remove any existing private key in the struct ckch_store. In order to fix the issue, the ptr to the key is swapped with a NULL ptr, and restored once the new certificate is commited. However there is a discrepancy when there is an error in ssl_sock_load_pem_into_ckch() fails and the pointer is lost. This patch fixes the issue by restoring the pointer in the error path. This must fix issue #2933. --- diff --git a/src/acme.c b/src/acme.c index 4d8232346..e36318f1f 100644 --- a/src/acme.c +++ b/src/acme.c @@ -636,7 +636,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) struct http_hdr *hdrs, *hdr; struct buffer *t1 = NULL, *t2 = NULL; int ret = 1; - EVP_PKEY *key; + EVP_PKEY *key = NULL; hc = ctx->hc; if (!hc) @@ -679,6 +679,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) /* restore the key */ ctx->store->data->key = key; + key = NULL; if (acme_update_certificate(task, ctx, errmsg) != 0) goto error; @@ -687,6 +688,8 @@ out: ret = 0; error: + if (key) + ctx->store->data->key = key; free_trash_chunk(t1); free_trash_chunk(t2); httpclient_destroy(hc); @@ -1674,9 +1677,9 @@ retry: int i; for (i = 0; i < ACME_RETRY - ctx->retries; i++) - delay *= 3000; + delay *= 3; ha_notice("acme: %s, retrying in %dms (%d/%d)...\n", errmsg ? errmsg : "", delay, ACME_RETRY-ctx->retries, ACME_RETRY); - task->expire = tick_add(now_ms, delay); + task->expire = tick_add(now_ms, delay * 1000); } else { ha_notice("acme: %s, aborting. (%d/%d)\n", errmsg ? errmsg : "", ACME_RETRY-ctx->retries, ACME_RETRY);