From 67f1d1129b4b70fbb3ffa5da7f310ba6bfb6a3a1 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 7 Dec 2023 22:25:54 +0100
Subject: [PATCH] Fix handling of non-existing ACME accounts with Digicert ACME
 endpoint (#681)

* Compatibility for DigiCert CA: also accept 404 instead of 400 for non-existing accounts.

* Add changelog fragment.

* Fix URL.
---
 changelogs/fragments/681-acme-account.yml | 3 +++
 plugins/module_utils/acme/account.py      | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/681-acme-account.yml

diff --git a/changelogs/fragments/681-acme-account.yml b/changelogs/fragments/681-acme-account.yml
new file mode 100644
index 000000000..0031d4745
--- /dev/null
+++ b/changelogs/fragments/681-acme-account.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - "acme_* modules - make account registration handling more flexible to accept 404 instead of
+     400 send by DigiCert's ACME endpoint when an account does not exist (https://github.com/ansible-collections/community.crypto/pull/681)."
diff --git a/plugins/module_utils/acme/account.py b/plugins/module_utils/acme/account.py
index de5eb171d..04eac0566 100644
--- a/plugins/module_utils/acme/account.py
+++ b/plugins/module_utils/acme/account.py
@@ -118,8 +118,10 @@ def _new_reg(self, contact=None, agreement=None, terms_agreed=False, allow_creat
             if 'location' in info:
                 self.client.set_account_uri(info['location'])
             return False, result
-        elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
+        elif info['status'] in (400, 404) and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
             # Account does not exist (and we did not try to create it)
+            # (According to RFC 8555, Section 7.3.1, the HTTP status code MUST be 400.
+            # Unfortunately Digicert does not care and sends 404 instead.)
             return False, None
         elif info['status'] == 403 and result['type'] == 'urn:ietf:params:acme:error:unauthorized' and 'deactivated' in (result.get('detail') or ''):
             # Account has been deactivated; currently works for Pebble; has not been