Skip to content

Fix wildcard authorization reuse with DNS-Account-01 #8504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix wildcard authorization reuse with DNS-Account-01 #8504

wants to merge 5 commits into from
+187 −3

Conversation

@sheurich
Copy link
Contributor

@sheurich sheurich commented Nov 25, 2025
edited
Loading

Summary

The RA rejected wildcard authorizations with DNS-Account-01 challenges during reuse. This fix accepts both DNS-01 and DNS-Account-01 for wildcard authorization reuse.

Root Cause

In ra/ra.go:2244-2248, the NewOrder() validation only accepted DNS-01 for wildcards. This check was added in commit 52615d9 before DNS-Account-01 wildcard support existed.

Changes

  • Updated validation to accept both DNS-01 and DNS-Account-01 for wildcards
  • Added TestNewOrderAuthzReuseDNSAccount01 unit test
  • Added TestDNSAccount01WildcardAuthorizationReuse integration test

Why Tests Missed This

The bug only affects authorization reuse, not new authorizations. Existing tests use random domains for each order, preventing reuse.

Test Coverage

Unit test TestNewOrderAuthzReuseDNSAccount01 verifies the validation logic accepts DNS-Account-01.

Integration test TestDNSAccount01WildcardAuthorizationReuse verifies end-to-end authorization reuse:

  1. Creates a wildcard order with DNS-Account-01
  2. Completes the challenge to get a valid authorization
  3. Creates a second order for the same wildcard domain
  4. Verifies the same authorization is reused
  5. Verifies no re-validation occurs

Fixes #8505

@sheurich
Fix wildcard authorization reuse with DNS-Account-01
cfc2bd4 
The RA rejected wildcard authorizations with DNS-Account-01 challenges
during reuse, though the PA offers DNS-Account-01 for wildcards.

In ra.go:2244-2248, the NewOrder() validation only accepted DNS-01 for
wildcards. This check predates DNS-Account-01 wildcard support (added
after commit 52615d9).

Changes:
- Accept both DNS-01 and DNS-Account-01 for wildcard reuse
- Split validation into two checks (count vs type)
- Add TestNewOrderAuthzReuseDNSAccount01 unit test

The bug only affected authorization reuse (not new authorizations),
which is why existing tests using random domains didn't expose it.
@sheurich sheurich requested a review from a team as a code owner November 25, 2025 16:24
@sheurich sheurich closed this Nov 25, 2025
@sheurich
Add integration test for wildcard DNS-Account-01 authorization reuse
9af0123 
Adds TestDNSAccount01WildcardAuthorizationReuse to verify that wildcard
authorizations with DNS-Account-01 challenges can be reused correctly.

The test:
- Creates a wildcard order with DNS-Account-01
- Completes the challenge to get a valid authorization
- Creates a second order for the same wildcard domain
- Verifies the same authorization is reused (same URL)
- Verifies the authorization is already valid (no re-validation)
- Verifies the DNS-Account-01 challenge type is preserved

This test fills a gap in Boulder's integration test coverage - no
existing Go integration tests verify authorization reuse end-to-end.
@sheurich sheurich reopened this Nov 25, 2025
@sheurich sheurich marked this pull request as draft November 25, 2025 17:11
@sheurich
Preserve original error message format for wildcard validation
b90a5fa 
Reverted to single combined check to maintain backward compatibility
with existing test expectations. The fix still accepts both DNS-01 and
DNS-Account-01 for wildcard authorization reuse, but uses the original
generic error message format: "with invalid challenge(s)"

This avoids needing to modify existing tests while still fixing the bug.
@sheurich sheurich marked this pull request as ready for review November 25, 2025 18:04
@sheurich
Verify authorization reuse in TestNewOrderAuthzReuseDNSAccount01
d63263f 
Add 2 assertions checking that authorization reuse actually occurs:
- Order contains exactly one authorization
- Authorization ID matches the mock (ID "1")

Previously the test only checked for absence of errors, which could
pass even if a new authorization was created instead of reusing the
existing one.
@sheurich sheurich marked this pull request as draft November 25, 2025 22:10
@sheurich
Gate DNS-Account-01 wildcard authorization reuse with feature flag
a7814a8 
The RA accepted DNS-Account-01 for wildcard authorization reuse without
checking features.Get().DNSAccount01Enabled.

Changes:
- Add feature flag check in ra.go wildcard validation
- Enable flag in TestNewOrderAuthzReuseDNSAccount01
- Add TestNewOrderAuthzReuseDNSAccount01Disabled for flag-off state

When disabled, only DNS-01 is accepted for wildcard authorization reuse.
When enabled, both DNS-01 and DNS-Account-01 are accepted.
@sheurich sheurich marked this pull request as ready for review November 25, 2025 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beautifulentropy beautifulentropy Awaiting requested review from beautifulentropy beautifulentropy is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RA rejects wildcard DNS-Account-01 authorizations during reuse

1 participant

@sheurich