RA: Don't reuse authzs with mismatched profiles

letsencrypt · Jan 21, 2025 · dc6073a · dc6073a
1 parent a620455
commit dc6073a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/ra/ra.go b/ra/ra.go
@@ -2155,6 +2155,11 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			missingAuthzIdents = append(missingAuthzIdents, ident)
 			continue
 		}
+		// If the authz is associated with the wrong profile, don't reuse it.
+		if authz.CertificateProfileName != req.CertificateProfileName {
+			missingAuthzIdents = append(missingAuthzIdents, ident)
+			continue
+		}
 		authzAge := (ra.authorizationLifetime - authz.Expires.Sub(ra.clk.Now())).Seconds()
 		// If the identifier is a wildcard and the existing authz only has one
 		// DNS-01 type challenge we can reuse it. In theory we will

diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -1378,10 +1378,10 @@ func TestNewOrder(t *testing.T) {
 	test.AssertEquals(t, err.Error(), "Cannot issue for \"a\": Domain name needs at least one dot")
 }
 
-// TestNewOrderReuse tests that subsequent requests by an ACME account to create
+// TestNewOrder_OrderReuse tests that subsequent requests by an ACME account to create
 // an identical order results in only one order being created & subsequently
 // reused.
-func TestNewOrder_OrderReusex(t *testing.T) {
+func TestNewOrder_OrderReuse(t *testing.T) {
 	_, _, ra, _, _, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
@@ -1589,6 +1589,7 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 		Name           string
 		RegistrationID int64
 		DnsName        string
+		Profile        string
 		ExpectReuse    bool
 	}{
 		{
@@ -1609,6 +1610,13 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 			DnsName:        invalid,
 			ExpectReuse:    false,
 		},
+		{
+			Name:           "Don't reuse valid authz with wrong profile",
+			RegistrationID: Registration.Id,
+			DnsName:        valid,
+			Profile:        "test",
+			ExpectReuse:    false,
+		},
 		{
 			Name:           "Don't reuse valid authz from other acct",
 			RegistrationID: secondReg.Id,
@@ -1620,8 +1628,9 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {
 			new, err := ra.NewOrder(context.Background(), &rapb.NewOrderRequest{
-				RegistrationID: tc.RegistrationID,
-				DnsNames:       []string{tc.DnsName},
+				RegistrationID:         tc.RegistrationID,
+				DnsNames:               []string{tc.DnsName},
+				CertificateProfileName: tc.Profile,
 			})
 			test.AssertNotError(t, err, "creating test order")
 			test.AssertNotEquals(t, new.Id, extant.Id)