ACME certificate fails to renew (incorrect directory)

[Jburso]

Description

ACME renewal fails due to certmagic trying to find the certificate in the wrong directory. Initial issuance works just fine though. Certificates located in /var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ but renewals check for the certificate in /var/lib/gitea/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/.

certmagic prints: error while checking if stored certificate is also expiring soon

Relevant parts of my config are below:

; ACME support

PROTOCOL = https
ENABLE_ACME = true
ACME_ACCEPTTOS = true
ACME_URL = https://ca.mydomain.com/acme/acme/directory
ACME_DIRECTORY = https
ACME_EMAIL = nan@nan

Gitea Version

1.21.9

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Jburso/5004c35ad7f4a0260a85a9044c3802f5

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Running on Alpine 3.20.3 and installed through the community v3.20 repo

Database

SQLite

[EmperorEarth]

Got the same on Forgejo 7.x/Gitea 1.21.x. Converting to Gitea paths, I was able to bandaid until bugfix with something like:

	sudo cp -r /var/lib/gitea/https/certificates /var/lib/gitea/.local/share/certmagic/certificates
	sudo systemctl stop gitea
	sudo systemctl start gitea

Both directories were updated during the certificate renewal.

Note: I'm not sure manually stopping and starting the SystemD daemon was necessary.

[wxiaoguang]

I think this will fix: Try to fix ACME directory problem #33072

[lunny]

It seems that for some reason, magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} doesn’t appear to be taking effect.

[wxiaoguang]

doesn’t appear to be taking effect.

Actually it takes effect.

[Jburso]

After testing on v1.23.3, where the above fix was merged, I am still getting an incorrect path when a certificate renewal is being attempted. /var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ is the correct directory but the renewal attempts to access /var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case.

This issue does not seem to occur immediately after gitea is restarted.

I think this issue should be reopened.

[wxiaoguang]

/var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ is the correct directory but the renewal attempts to access /var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case.

If I understand correctly, that directory is from CA (aka setting.AcmeURL => ACME_URL). If you use the default ACME service (letsencpryt), then the URL is https://acme-v02.api.letsencrypt.org/directory, then it uses .../https/certificates/acme-v02.api.letsencrypt.org-directory. If you use a customized ACME service https://ca.mydomain.com/acme/acme/directory, then it becomes .../https/certificates/ca.mydomain.com-acme-acme-directory.

At the moment, I don't see the logic on Gitea side is changed. #33072 and its following up fix only set the global default storage path.

So maybe it is a misconfiguration or the ACME package's problem?

[wxiaoguang]

The best guess from my side is like this " Fix ACEM path when renew #33668 "(see the comment)

And @techknowlogick , the certmagic code is from "Use caddy's certmagic library for extensible/robust ACME handling (#14177)"