Fix handling of non-existing ACME accounts with Digicert ACME endpoint (#681)

* Compatibility for DigiCert CA: also accept 404 instead of 400 for non-existing accounts. * Add changelog fragment. * Fix URL.
2023-12-07 22:25:54 +01:00 · 2023-12-07 22:25:54 +01:00 · 67f1d1129b
parent d9362a2ce9
commit 67f1d1129b
2 changed files with 6 additions and 1 deletions
--- a/changelogs/fragments/681-acme-account.yml
+++ b/changelogs/fragments/681-acme-account.yml
@ -0,0 +1,3 @@
+bugfixes:
+  - "acme_* modules - make account registration handling more flexible to accept 404 instead of
+     400 send by DigiCert's ACME endpoint when an account does not exist (https://github.com/ansible-collections/community.crypto/pull/681)."
--- a/plugins/module_utils/acme/account.py
+++ b/plugins/module_utils/acme/account.py
@ -118,8 +118,10 @@ class ACMEAccount(object):
            if 'location' in info:
                self.client.set_account_uri(info['location'])
            return False, result
-        elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
+        elif info['status'] in (400, 404) and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
            # Account does not exist (and we did not try to create it)
+            # (According to RFC 8555, Section 7.3.1, the HTTP status code MUST be 400.
+            # Unfortunately Digicert does not care and sends 404 instead.)
            return False, None
        elif info['status'] == 403 and result['type'] == 'urn:ietf:params:acme:error:unauthorized' and 'deactivated' in (result.get('detail') or ''):
            # Account has been deactivated; currently works for Pebble; has not been