ACME certificate fails to renew (incorrect directory) #13565

New Issue

Closed

opened 2025-11-02 10:46:13 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 10:46:13 -06:00

Owner

Copy Link

Originally created by @Jburso on GitHub (Oct 4, 2024).

Description

ACME renewal fails due to certmagic trying to find the certificate in the wrong directory. Initial issuance works just fine though. Certificates located in /var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ but renewals check for the certificate in /var/lib/gitea/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/.

certmagic prints: error while checking if stored certificate is also expiring soon

Relevant parts of my config are below:

; ACME support

PROTOCOL = https
ENABLE_ACME = true
ACME_ACCEPTTOS = true
ACME_URL = https://ca.mydomain.com/acme/acme/directory
ACME_DIRECTORY = https
ACME_EMAIL = nan@nan

Gitea Version

1.21.9

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Jburso/5004c35ad7f4a0260a85a9044c3802f5

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Running on Alpine 3.20.3 and installed through the community v3.20 repo

Database

SQLite

Originally created by @Jburso on GitHub (Oct 4, 2024). ### Description ACME renewal fails due to certmagic trying to find the certificate in the wrong directory. Initial issuance works just fine though. Certificates located in `/var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/` but renewals check for the certificate in `/var/lib/gitea/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/`. certmagic prints: `error while checking if stored certificate is also expiring soon` Relevant parts of my config are below: ``` ; ACME support PROTOCOL = https ENABLE_ACME = true ACME_ACCEPTTOS = true ACME_URL = https://ca.mydomain.com/acme/acme/directory ACME_DIRECTORY = https ACME_EMAIL = nan@nan ``` ### Gitea Version 1.21.9 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist https://gist.github.com/Jburso/5004c35ad7f4a0260a85a9044c3802f5 ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Running on Alpine 3.20.3 and installed through the [community v3.20 repo](https://pkgs.alpinelinux.org/package/v3.20/community/x86_64/gitea) ### Database SQLite

GiteaMirror added the issue/confirmedtype/bug labels 2025-11-02 10:46:13 -06:00

GiteaMirror closed this issue 2025-11-02 10:46:13 -06:00

GiteaMirror commented 2025-11-02 10:46:14 -06:00

Author

Owner

Copy Link

@EmperorEarth commented on GitHub (Jan 1, 2025):

Got the same on Forgejo 7.x/Gitea 1.21.x. Converting to Gitea paths, I was able to bandaid until bugfix with something like:

	sudo cp -r /var/lib/gitea/https/certificates /var/lib/gitea/.local/share/certmagic/certificates
	sudo systemctl stop gitea
	sudo systemctl start gitea

Both directories were updated during the certificate renewal.

Note: I'm not sure manually stopping and starting the SystemD daemon was necessary.

@EmperorEarth commented on GitHub (Jan 1, 2025): Got the same on Forgejo 7.x/Gitea 1.21.x. Converting to Gitea paths, I was able to bandaid until bugfix with something like: ``` sudo cp -r /var/lib/gitea/https/certificates /var/lib/gitea/.local/share/certmagic/certificates sudo systemctl stop gitea sudo systemctl start gitea ``` Both directories were updated during the certificate renewal. Note: I'm not sure manually stopping and starting the SystemD daemon was necessary.

GiteaMirror commented 2025-11-02 10:46:14 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 1, 2025):

I think this will fix: Try to fix ACME directory problem #33072

@wxiaoguang commented on GitHub (Jan 1, 2025): I think this will fix: Try to fix ACME directory problem #33072

GiteaMirror commented 2025-11-02 10:46:14 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jan 2, 2025):

It seems that for some reason, magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} doesn’t appear to be taking effect.

@lunny commented on GitHub (Jan 2, 2025): It seems that for some reason, `magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} ` doesn’t appear to be taking effect.

GiteaMirror commented 2025-11-02 10:46:14 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 2, 2025):

doesn’t appear to be taking effect.

Actually it takes effect.

@wxiaoguang commented on GitHub (Jan 2, 2025): > doesn’t appear to be taking effect. Actually it takes effect.

GiteaMirror commented 2025-11-02 10:46:15 -06:00

Author

Owner

Copy Link

@Jburso commented on GitHub (Feb 21, 2025):

After testing on v1.23.3, where the above fix was merged, I am still getting an incorrect path when a certificate renewal is being attempted. /var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ is the correct directory but the renewal attempts to access /var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case.

This issue does not seem to occur immediately after gitea is restarted.

I think this issue should be reopened.

@Jburso commented on GitHub (Feb 21, 2025): After testing on v1.23.3, where the above fix was merged, I am still getting an incorrect path when a certificate renewal is being attempted. `/var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/` is the correct directory but the renewal attempts to access `/var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/`. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case. This issue does *not* seem to occur immediately after gitea is restarted. I think this issue should be reopened.

GiteaMirror commented 2025-11-02 10:46:15 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Feb 21, 2025):

/var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/ is the correct directory but the renewal attempts to access /var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case.

If I understand correctly, that directory is from CA (aka setting.AcmeURL => ACME_URL). If you use the default ACME service (letsencpryt), then the URL is https://acme-v02.api.letsencrypt.org/directory, then it uses .../https/certificates/acme-v02.api.letsencrypt.org-directory. If you use a customized ACME service https://ca.mydomain.com/acme/acme/directory, then it becomes .../https/certificates/ca.mydomain.com-acme-acme-directory.

At the moment, I don't see the logic on Gitea side is changed. #33072 and its following up fix only set the global default storage path.

So maybe it is a misconfiguration or the ACME package's problem?

@wxiaoguang commented on GitHub (Feb 21, 2025): > `/var/lib/gitea/https/certificates/ca.mydomain.com-acme-acme-directory/` is the correct directory but the renewal attempts to access `/var/lib/gitea/https/certificates/acme-v02.api.letsencrypt.org-directory/`. The root directory is now correct, but it seems like there's an assumption that LetsEncrypt is being used when that's not the case. If I understand correctly, that directory is from `CA` (aka `setting.AcmeURL` => `ACME_URL`). If you use the default ACME service (letsencpryt), then the URL is `https://acme-v02.api.letsencrypt.org/directory`, then it uses `.../https/certificates/acme-v02.api.letsencrypt.org-directory`. If you use a customized ACME service `https://ca.mydomain.com/acme/acme/directory`, then it becomes `.../https/certificates/ca.mydomain.com-acme-acme-directory`. At the moment, I don't see the logic on Gitea side is changed. #33072 and its following up fix only set the global default storage path. So maybe it is a misconfiguration or the ACME package's problem?

GiteaMirror commented 2025-11-02 10:46:15 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Feb 21, 2025):

The best guess from my side is like this " Fix ACEM path when renew #33668 "(see the comment)

And @techknowlogick , the certmagic code is from "Use caddy's certmagic library for extensible/robust ACME handling (#14177)"

@wxiaoguang commented on GitHub (Feb 21, 2025): The best guess from my side is like this " Fix ACEM path when renew #33668 "(see the comment) And @techknowlogick , the certmagic code is from "Use caddy's certmagic library for extensible/robust ACME handling (#14177)"

GiteaMirror commented 2025-11-02 10:46:15 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Mar 5, 2025):

OK, the new "fix" is still problematic.

-> Revert "Try to fix ACME path when renew (#33668)" #33805
-> Revert "Try to fix ACME path when renew (#33668) (#33693)" #33804

I give up for this problem. Maybe the original authors @techknowlogick could know how to make it right.

@wxiaoguang commented on GitHub (Mar 5, 2025): OK, the new "fix" is still problematic. -> Revert "Try to fix ACME path when renew (#33668)" #33805 -> Revert "Try to fix ACME path when renew (#33668) (#33693)" #33804 I give up for this problem. Maybe the original authors @techknowlogick could know how to make it right.

GiteaMirror commented 2025-11-02 10:46:16 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Mar 5, 2025):

The last try: Try to fix ACME (3rd) #33807

@wxiaoguang commented on GitHub (Mar 5, 2025): The last try: Try to fix ACME (3rd) #33807

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/confirmed type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#13565