ACME: fix bug introduced in #49266, work around problem with Pebble (#49407)

pull/49339/head
Felix Fontein 6 years ago committed by René Moser
parent d62492e656
commit 34c57b4c42

@ -568,7 +568,7 @@ class ACMEAccount(object):
try: try:
content = resp.read() content = resp.read()
except AttributeError: except AttributeError:
content = info.pop('body') content = info.pop('body', None)
if content or not parse_json_result: if content or not parse_json_result:
if (parse_json_result and info['content-type'].startswith('application/json')) or 400 <= info['status'] < 600: if (parse_json_result and info['content-type'].startswith('application/json')) or 400 <= info['status'] < 600:
@ -614,7 +614,7 @@ class ACMEAccount(object):
try: try:
content = resp.read() content = resp.read()
except AttributeError: except AttributeError:
content = info.pop('body') content = info.pop('body', None)
# Process result # Process result
if parse_json_result: if parse_json_result:
@ -674,14 +674,26 @@ class ACMEAccount(object):
url = self.directory['newAccount'] url = self.directory['newAccount']
result, info = self.send_signed_request(url, new_reg) result, info = self.send_signed_request(url, new_reg)
if 'location' in info:
self.set_account_uri(info['location'])
if info['status'] in ([200, 201] if self.version == 1 else [201]): if info['status'] in ([200, 201] if self.version == 1 else [201]):
# Account did not exist # Account did not exist
if 'location' in info:
self.set_account_uri(info['location'])
return True return True
elif info['status'] == (409 if self.version == 1 else 200): elif info['status'] == (409 if self.version == 1 else 200):
# Account did exist # Account did exist
if result.get('status') == 'deactivated':
# A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179)
# and Boulder: this should not return a valid account object according to
# https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.6:
# "Once an account is deactivated, the server MUST NOT accept further
# requests authorized by that account's key."
if not allow_creation:
return False
else:
raise ModuleFailException("Account is deactivated")
if 'location' in info:
self.set_account_uri(info['location'])
return False return False
elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation: elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
# Account does not exist (and we didn't try to create it) # Account does not exist (and we didn't try to create it)

@ -55,7 +55,7 @@
assert: assert:
that: that:
- account_deactivate_idempotent is not changed - account_deactivate_idempotent is not changed
- account_deactivate_idempotent.account_uri is not none - account_deactivate_idempotent.account_uri is none
- name: Validate that the account is gone (new account key) - name: Validate that the account is gone (new account key)
assert: assert:

Loading…
Cancel
Save