Fix wildcard authorization reuse with DNS-Account-01 (#8504)

sheurich · web-flow · commit 3922886ee57d · 2025-12-11T16:34:38.000-08:00
Update ra.NewOrder to allow reuse of authorizations with a dns-account-01 challenge for wildcard identifiers. Add two new tests showing that the RA accepts or rejects reuse of such an authorization, depending on the state of the DNSAccount01Enabled feature flag. Fixes #8505
diff --git a/ra/ra.go b/ra/ra.go
@@ -2243,14 +2243,18 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			authzAge = (profile.pendingAuthzLifetime - authz.Expires.Sub(ra.clk.Now())).Seconds()
 		}
 
-		// If the identifier is a wildcard DNS name, it must have exactly one
-		// DNS-01 type challenge. The PA guarantees this at order creation time,
-		// but we verify again to be safe.
-		if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") &&
-			(len(authz.Challenges) != 1 || authz.Challenges[0].Type != core.ChallengeTypeDNS01) {
-			return nil, berrors.InternalServerError(
-				"SA.GetAuthorizations returned a DNS wildcard authz (%s) with invalid challenge(s)",
-				authz.ID)
+		// If the identifier is a wildcard DNS name, all challenges must be
+		// DNS-01 or DNS-Account-01. The PA guarantees this at order creation
+		// time, but we verify again to be safe.
+		if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") {
+			for _, chall := range authz.Challenges {
+				if chall.Type != core.ChallengeTypeDNS01 && !(features.Get().DNSAccount01Enabled && chall.Type == core.ChallengeTypeDNSAccount01) {
+					return nil, berrors.InternalServerError(
+						"SA.GetAuthorizations returned a DNS wildcard authz (%s) with invalid challenge(s)",
+						authz.ID,
+					)
+				}
+			}
 		}
 
 		// If we reached this point then the existing authz was acceptable for
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -2119,11 +2119,110 @@ func TestNewOrderAuthzReuseSafety(t *testing.T) {
 
 	// Create an order for that request
 	_, err := ra.NewOrder(ctx, orderReq)
-	// It should fail
+	// It should fail because HTTP-01 is not a valid challenge type for wildcards
 	test.AssertError(t, err, "Added an initial order for regA with invalid challenge(s)")
 	test.AssertContains(t, err.Error(), "SA.GetAuthorizations returned a DNS wildcard authz (1) with invalid challenge(s)")
 }
 
+// TestNewOrderAuthzReuseDNSAccount01 checks that the RA correctly allows reuse
+// of a wildcard authorization with a DNS-Account-01 challenge.
+func TestNewOrderAuthzReuseDNSAccount01(t *testing.T) {
+	_, _, ra, _, _, registration, cleanUp := initAuthorities(t)
+	defer cleanUp()
+
+	features.Set(features.Config{DNSAccount01Enabled: true})
+	defer features.Reset()
+
+	ctx := context.Background()
+	idents := identifier.ACMEIdentifiers{identifier.NewDNS("*.zombo.com")}
+
+	// Use a mock SA that returns a pending authz with both DNS-01 and
+	// DNS-Account-01 challenges for wildcard. This tests that pending wildcard
+	// authorizations with 2 challenges can be reused.
+	expires := time.Now().Add(24 * time.Hour)
+	ra.SA = &mockSAWithAuthzs{
+		authzs: []*core.Authorization{
+			{
+				ID:             "1",
+				Identifier:     identifier.NewDNS("*.zombo.com"),
+				RegistrationID: registration.Id,
+				Status:         "pending",
+				Expires:        &expires,
+				Challenges: []core.Challenge{
+					{
+						Type:   core.ChallengeTypeDNS01,
+						Status: core.StatusPending,
+						Token:  core.NewToken(),
+					},
+					{
+						Type:   core.ChallengeTypeDNSAccount01,
+						Status: core.StatusPending,
+						Token:  core.NewToken(),
+					},
+				},
+			},
+		},
+	}
+
+	orderReq := &rapb.NewOrderRequest{
+		RegistrationID: registration.Id,
+		Identifiers:    idents.ToProtoSlice(),
+	}
+
+	// Create an order for the wildcard domain. NewOrder should recognize that
+	// the existing valid authorization with DNS-Account-01 challenge can be
+	// reused for this wildcard domain request.
+	order, err := ra.NewOrder(ctx, orderReq)
+	test.AssertNotError(t, err, "NewOrder failed to reuse wildcard authz with DNS-Account-01")
+	// The order should contain exactly one authorization (the reused one)
+	test.AssertEquals(t, len(order.V2Authorizations), 1)
+	// The authorization ID should match the mock authz we provided (ID "1")
+	test.AssertEquals(t, order.V2Authorizations[0], int64(1))
+}
+
+// TestNewOrderAuthzReuseDNSAccount01Disabled checks that the RA rejects
+// wildcard authorization reuse with DNS-Account-01 when the feature is disabled.
+func TestNewOrderAuthzReuseDNSAccount01Disabled(t *testing.T) {
+	_, _, ra, _, _, registration, cleanUp := initAuthorities(t)
+	defer cleanUp()
+
+	// Feature flag is NOT set - DNSAccount01Enabled defaults to false
+
+	ctx := context.Background()
+	idents := identifier.ACMEIdentifiers{identifier.NewDNS("*.zombo.com")}
+
+	// Use a mock SA that returns a DNS-Account-01 authz for wildcard
+	expires := time.Now().Add(24 * time.Hour)
+	ra.SA = &mockSAWithAuthzs{
+		authzs: []*core.Authorization{
+			{
+				ID:             "1",
+				Identifier:     identifier.NewDNS("*.zombo.com"),
+				RegistrationID: registration.Id,
+				Status:         "valid",
+				Expires:        &expires,
+				Challenges: []core.Challenge{
+					{
+						Type:   core.ChallengeTypeDNSAccount01,
+						Status: core.StatusValid,
+						Token:  core.NewToken(),
+					},
+				},
+			},
+		},
+	}
+
+	orderReq := &rapb.NewOrderRequest{
+		RegistrationID: registration.Id,
+		Identifiers:    idents.ToProtoSlice(),
+	}
+
+	// NewOrder should reject the DNS-Account-01 authz when feature is disabled
+	_, err := ra.NewOrder(ctx, orderReq)
+	test.AssertError(t, err, "NewOrder should reject DNS-Account-01 when feature disabled")
+	test.AssertContains(t, err.Error(), "SA.GetAuthorizations returned a DNS wildcard authz (1) with invalid challenge(s)")
+}
+
 func TestNewOrderWildcard(t *testing.T) {
 	_, _, ra, _, _, registration, cleanUp := initAuthorities(t)
 	defer cleanUp()
diff --git a/test/integration/dns_account_01_test.go b/test/integration/dns_account_01_test.go
@@ -47,7 +47,10 @@ func TestDNSAccount01HappyPath(t *testing.T) {
 		t.Fatalf("adding DNS response: %s", err)
 	}
 	t.Cleanup(func() {
-		_, _ = testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		if err != nil {
+			t.Fatal(err)
+		}
 	})
 
 	chal, err = c.Client.UpdateChallenge(c.Account, chal)
@@ -103,7 +106,10 @@ func TestDNSAccount01WrongTXTRecord(t *testing.T) {
 		t.Fatalf("adding DNS response: %s", err)
 	}
 	t.Cleanup(func() {
-		_, _ = testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		if err != nil {
+			t.Fatal(err)
+		}
 	})
 
 	_, err = c.Client.UpdateChallenge(c.Account, chal)
@@ -212,7 +218,10 @@ func TestDNSAccount01MultipleTXTRecordsNoneMatch(t *testing.T) {
 		t.Fatalf("adding DNS response: %s", err)
 	}
 	t.Cleanup(func() {
-		_, _ = testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		if err != nil {
+			t.Fatal(err)
+		}
 	})
 
 	_, err = c.Client.UpdateChallenge(c.Account, chal)
@@ -276,7 +285,10 @@ func TestDNSAccount01MultipleTXTRecordsOneMatches(t *testing.T) {
 		t.Fatalf("adding DNS response: %s", err)
 	}
 	t.Cleanup(func() {
-		_, _ = testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		if err != nil {
+			t.Fatal(err)
+		}
 	})
 
 	chal, err = c.Client.UpdateChallenge(c.Account, chal)
@@ -342,7 +354,10 @@ func TestDNSAccount01WildcardDomain(t *testing.T) {
 			t.Fatalf("adding DNS response: %s", err)
 		}
 		t.Cleanup(func() {
-			_, _ = testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+			_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+			if err != nil {
+				t.Fatal(err)
+			}
 		})
 
 		chal, err = c.Client.UpdateChallenge(c.Account, chal)
@@ -361,3 +376,96 @@ func TestDNSAccount01WildcardDomain(t *testing.T) {
 		}
 	}
 }
+
+func TestDNSAccount01WildcardAuthorizationReuse(t *testing.T) {
+	t.Parallel()
+
+	if os.Getenv("BOULDER_CONFIG_DIR") == "test/config" {
+		t.Skip("Test requires dns-account-01 to be enabled")
+	}
+
+	// Use same domain for both orders to trigger authorization reuse
+	domain := random_domain()
+	wildcardDomain := fmt.Sprintf("*.%s", domain)
+
+	c, err := makeClient()
+	if err != nil {
+		t.Fatalf("creating client: %s", err)
+	}
+
+	idents := []acme.Identifier{{Type: "dns", Value: wildcardDomain}}
+
+	// First order: Create and complete DNS-Account-01 challenge
+	order1, err := c.Client.NewOrder(c.Account, idents)
+	if err != nil {
+		t.Fatalf("creating first order: %s", err)
+	}
+
+	authzURL := order1.Authorizations[0]
+	auth1, err := c.Client.FetchAuthorization(c.Account, authzURL)
+	if err != nil {
+		t.Fatalf("fetching first authorization: %s", err)
+	}
+
+	chal, ok := auth1.ChallengeMap[acme.ChallengeTypeDNSAccount01]
+	if !ok {
+		t.Fatal("dns-account-01 challenge not offered by server")
+	}
+
+	_, err = testSrvClient.AddDNSAccount01Response(c.Account.URL, domain, chal.KeyAuthorization)
+	if err != nil {
+		t.Fatalf("adding DNS response: %s", err)
+	}
+	t.Cleanup(func() {
+		_, err := testSrvClient.RemoveDNSAccount01Response(c.Account.URL, domain)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	chal, err = c.Client.UpdateChallenge(c.Account, chal)
+	if err != nil {
+		t.Fatalf("updating challenge: %s", err)
+	}
+
+	// Wait for authorization to become valid
+	auth1, err = c.Client.FetchAuthorization(c.Account, authzURL)
+	if err != nil {
+		t.Fatalf("fetching first authorization after challenge update: %s", err)
+	}
+
+	if auth1.Status != "valid" {
+		t.Fatalf("expected first authorization status to be 'valid', got '%s'", auth1.Status)
+	}
+
+	// Second order: Should reuse the existing authorization
+	order2, err := c.Client.NewOrder(c.Account, idents)
+	if err != nil {
+		t.Fatalf("creating second order: %s", err)
+	}
+
+	if len(order2.Authorizations) != 1 {
+		t.Fatalf("expected 1 authorization in second order, got %d", len(order2.Authorizations))
+	}
+
+	authzURL2 := order2.Authorizations[0]
+	auth2, err := c.Client.FetchAuthorization(c.Account, authzURL2)
+	if err != nil {
+		t.Fatalf("fetching second authorization: %s", err)
+	}
+
+	// Verify reuse occurred: same authorization URL
+	if authzURL != authzURL2 {
+		t.Errorf("expected same authorization URL, got different: %s != %s", authzURL, authzURL2)
+	}
+
+	// Verify authorization is already valid (no re-validation needed)
+	if auth2.Status != "valid" {
+		t.Errorf("expected reused authorization status to be 'valid', got '%s'", auth2.Status)
+	}
+
+	// Verify authorization still has DNS-Account-01 challenge
+	if _, ok := auth2.ChallengeMap[acme.ChallengeTypeDNSAccount01]; !ok {
+		t.Error("expected reused authorization to have dns-account-01 challenge")
+	}
+}
