Skip to content

Obtain new certificate when renewal's issuer has changed#393

Open
TowyTowy wants to merge 1 commit into
caddyserver:masterfrom
TowyTowy:fix/6732-issuer-change-renewal
Open

Obtain new certificate when renewal's issuer has changed#393
TowyTowy wants to merge 1 commit into
caddyserver:masterfrom
TowyTowy:fix/6732-issuer-change-renewal

Conversation

@TowyTowy

@TowyTowy TowyTowy commented Jul 8, 2026

Copy link
Copy Markdown

What / why

Fixes caddyserver/caddy#6732. When the configured issuer is changed between config reloads (e.g. switching ACME CA), a previously-obtained certificate stays cached and managed, but its stored resources live under the old issuer's storage path. renewCert reuses the stored resource and therefore looks for it only under the currently-configured issuer(s), never finds it (fs.ErrNotExist), and retries with backoff until the cert expires — auto-renewal gets permanently stuck. This reproduces the maintainer analysis in the issue by @WeidiDeng.

Change

In renewCert, before attempting renewal, check whether any currently-configured issuer actually has the certificate resources in storage. If none do, there is nothing to renew, so obtain a fresh certificate from the current issuer(s) instead of failing forever. The check runs before lock acquisition and delegates to obtainCert, which re-guards under its own storage lock (idempotent, distributed-safe).

Tests

Adds TestRenewCertObtainsWhenIssuerChanged, which seeds a cert under an old issuer key, reconfigures with a different issuer, and asserts renewal falls back to obtaining from the new issuer. Confirmed it fails without the change with the same no such file or directory error from the issue, and passes with it. Full package suite, go vet, and gofmt are clean.

Assistance Disclosure

AI assistance (Claude) was used to investigate the issue, trace the certmagic renewal path, and draft this fix and its regression test. The change and test output have been reviewed and verified for correctness.

When the configured issuer is changed between config reloads (e.g. a
different ACME CA), a previously-obtained certificate can remain cached
and managed while its stored resources live under the OLD issuer's
storage path. Renewal reuses the stored certificate resource, so it
looks for the resource only under the currently-configured issuer(s),
never finds it (fs.ErrNotExist), and retries in vain until the
certificate expires (up to 30 days), leaving auto-renewal stuck.

Fix renewCert to detect when no certificate resources exist in storage
for any currently-configured issuer and, in that case, obtain a fresh
certificate from the current issuer instead of endlessly failing to
renew a resource that will never appear.

Adds a regression test that reproduces the stuck-renewal state (a cert
stored under an old issuer key with a different issuer now configured)
and asserts renewal falls back to obtaining from the new issuer. The
test fails without this change with the same "no such file or
directory" error reported in the issue.

Fixes caddyserver/caddy#6732

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls: certificates auto renewal will become stuck if issuer is changed between config reloads

1 participant