caddyhttp: Always provision ACME issuers (fix terms agree error)

1 files changed, 6 insertions, 7 deletions

diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index d8e5c268e..00853f8ef 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -551,7 +551,6 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, publicNames, interna
 // config values. If any changes are made, acmeIssuer is
 // reprovisioned. acmeIssuer must not be nil.
 func (app *App) fillInACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) error {
-	var anyChanges bool
 	if app.HTTPPort > 0 || app.HTTPSPort > 0 {
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
@@ -564,7 +563,6 @@ func (app *App) fillInACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) error {
 		// don't overwrite existing explicit config
 		if acmeIssuer.Challenges.HTTP.AlternatePort == 0 {
 			acmeIssuer.Challenges.HTTP.AlternatePort = app.HTTPPort
-			anyChanges = true
 		}
 	}
 	if app.HTTPSPort > 0 {
@@ -574,13 +572,14 @@ func (app *App) fillInACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) error {
 		// don't overwrite existing explicit config
 		if acmeIssuer.Challenges.TLSALPN.AlternatePort == 0 {
 			acmeIssuer.Challenges.TLSALPN.AlternatePort = app.HTTPSPort
-			anyChanges = true
 		}
 	}
-	if anyChanges {
-		return acmeIssuer.Provision(app.ctx)
-	}
-	return nil
+	// we must provision all ACME issuers, even if nothing
+	// was changed, because we don't know if they are new
+	// and haven't been provisioned yet; if an ACME issuer
+	// never gets provisioned, its Agree field stays false,
+	// which leads to, um, problems later on
+	return acmeIssuer.Provision(app.ctx)
 }
 
 // automaticHTTPSPhase2 begins certificate management for