acme: only require prompt if server has terms of service

seankhliao · seankhliao · commit a408498e5541 · 2026-02-13T09:12:11.000-08:00
Fixes golang/go#64881 Change-Id: I2b4415e6f987aab258c26c090ac7b1a465aa1697 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719001 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
@@ -248,10 +248,6 @@ func (m *Manager) TLSConfig() *tls.Config {
 // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will
 // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler for http-01.
 func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if m.Prompt == nil {
-		return nil, errors.New("acme/autocert: Manager.Prompt not set")
-	}
-
 	name := hello.ServerName
 	if name == "" {
 		return nil, errors.New("acme/autocert: missing server name")
diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
@@ -201,7 +201,7 @@ func TestGetCertificate(t *testing.T) {
 			prepare: func(t *testing.T, man *Manager, s *acmetest.CAServer) {
 				man.Prompt = nil
 			},
-			expectError: "Manager.Prompt not set",
+			expectError: "missing Manager.Prompt",
 		},
 		{
 			name:   "trailingDot",
diff --git a/acme/autocert/internal/acmetest/ca.go b/acme/autocert/internal/acmetest/ca.go
@@ -239,7 +239,8 @@ type discovery struct {
 }
 
 type discoveryMeta struct {
-	ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"`
+	Terms                   string `json:"termsOfService,omitempty"`
+	ExternalAccountRequired bool   `json:"externalAccountRequired,omitempty"`
 }
 
 type challenge struct {
@@ -281,6 +282,7 @@ func (ca *CAServer) handle(w http.ResponseWriter, r *http.Request) {
 			NewAccount: ca.serverURL("/new-account"),
 			NewOrder:   ca.serverURL("/new-order"),
 			Meta: discoveryMeta{
+				Terms:                   ca.serverURL("/terms"),
 				ExternalAccountRequired: ca.eabRequired,
 			},
 		}
diff --git a/acme/rfc8555.go b/acme/rfc8555.go
@@ -53,6 +53,9 @@ func (c *Client) registerRFC(ctx context.Context, acct *Account, prompt func(tos
 		Contact: acct.Contact,
 	}
 	if c.dir.Terms != "" {
+		if prompt == nil {
+			return nil, errors.New("acme: missing Manager.Prompt to accept server's terms of service")
+		}
 		req.TermsAgreed = prompt(c.dir.Terms)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@ func TestGetCertificate(t *testing.T) {`
`201`	`201`	`prepare: func(t testing.T, man Manager, s *acmetest.CAServer) {`
`202`	`202`	`man.Prompt = nil`
`203`	`203`	`},`
`204`		`- expectError: "Manager.Prompt not set",`
	`204`	`+ expectError: "missing Manager.Prompt",`
`205`	`205`	`},`
`206`	`206`	`{`
`207`	`207`	`name: "trailingDot",`
Original file line number	Diff line number	Diff line change
`@@ -239,7 +239,8 @@ type discovery struct {`
`239`	`239`	`}`
`240`	`240`
`241`	`241`	`type discoveryMeta struct {`
`242`		- ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"`
	`242`	+ Terms string `json:"termsOfService,omitempty"`
	`243`	+ ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"`
`243`	`244`	`}`
`244`	`245`
`245`	`246`	`type challenge struct {`
`@@ -281,6 +282,7 @@ func (ca CAServer) handle(w http.ResponseWriter, r http.Request) {`
`281`	`282`	`NewAccount: ca.serverURL("/new-account"),`
`282`	`283`	`NewOrder: ca.serverURL("/new-order"),`
`283`	`284`	`Meta: discoveryMeta{`
	`285`	`+ Terms: ca.serverURL("/terms"),`
`284`	`286`	`ExternalAccountRequired: ca.eabRequired,`
`285`	`287`	`},`
`286`	`288`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ func (c Client) registerRFC(ctx context.Context, acct Account, prompt func(tos`
`53`	`53`	`Contact: acct.Contact,`
`54`	`54`	`}`
`55`	`55`	`if c.dir.Terms != "" {`
	`56`	`+ if prompt == nil {`
	`57`	`+ return nil, errors.New("acme: missing Manager.Prompt to accept server's terms of service")`
	`58`	`+ }`
`56`	`59`	`req.TermsAgreed = prompt(c.dir.Terms)`
`57`	`60`	`}`
`58`	`61`