Fix handling of non-existing ACME accounts with Digicert ACME endpoint (

#681) * Compatibility for DigiCert CA: also accept 404 instead of 400 for non-existing accounts. * Add changelog fragment. * Fix URL.
ansible-collections · Dec 7, 2023 · 67f1d11 · 67f1d11
1 parent d9362a2
commit 67f1d11
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/changelogs/fragments/681-acme-account.yml b/changelogs/fragments/681-acme-account.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - "acme_* modules - make account registration handling more flexible to accept 404 instead of
+     400 send by DigiCert's ACME endpoint when an account does not exist (https://github.com/ansible-collections/community.crypto/pull/681)."
diff --git a/plugins/module_utils/acme/account.py b/plugins/module_utils/acme/account.py
@@ -118,8 +118,10 @@ def _new_reg(self, contact=None, agreement=None, terms_agreed=False, allow_creat
             if 'location' in info:
                 self.client.set_account_uri(info['location'])
             return False, result
-        elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
+        elif info['status'] in (400, 404) and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
             # Account does not exist (and we did not try to create it)
+            # (According to RFC 8555, Section 7.3.1, the HTTP status code MUST be 400.
+            # Unfortunately Digicert does not care and sends 404 instead.)
             return False, None
         elif info['status'] == 403 and result['type'] == 'urn:ietf:params:acme:error:unauthorized' and 'deactivated' in (result.get('detail') or ''):
             # Account has been deactivated; currently works for Pebble; has not been