Ability to disable distributed solvers

This makes it possible to avoid storage writes, and still supports distributed solving of the http-01 challenge only (requires the correct ACME account to be used -- configuring it in AccountKeyPEM can be helpful).

Author: mholt

account.go

@@ -36,9 +36,27 @@ import (
 	"go.uber.org/zap"
 )
 
-// getAccount either loads or creates a new account, depending on if
+// getAccountToUse will either load or create an account based on the configuration of the issuer.
+// It will try to get one from storage if one exists, and if not, it will create one, all the while
+// honoring the configured account key PEM (if any) to restrict which account is used.
+func (iss *ACMEIssuer) getAccountToUse(ctx context.Context, directory string) (acme.Account, error) {
+	var account acme.Account
+	var err error
+	if iss.AccountKeyPEM != "" {
+		iss.Logger.Info("using configured ACME account")
+		account, err = iss.GetAccount(ctx, []byte(iss.AccountKeyPEM))
+	} else {
+		account, err = iss.loadOrCreateAccount(ctx, directory, iss.getEmail())
+	}
+	if err != nil {
+		return acme.Account{}, fmt.Errorf("getting ACME account: %v", err)
+	}
+	return account, nil
+}
+
+// loadOrCreateAccount either loads or creates a new account, depending on if
 // an account can be found in storage for the given CA + email combo.
-func (am *ACMEIssuer) getAccount(ctx context.Context, ca, email string) (acme.Account, error) {
+func (am *ACMEIssuer) loadOrCreateAccount(ctx context.Context, ca, email string) (acme.Account, error) {
 	acct, err := am.loadAccount(ctx, ca, email)
 	if errors.Is(err, fs.ErrNotExist) {
 		am.Logger.Info("creating new account because no account for configured email is known to us",
@@ -407,7 +425,7 @@ func (am *ACMEIssuer) mostRecentAccountEmail(ctx context.Context, caURL string)
 		return "", false
 	}
 
-	account, err := am.getAccount(ctx, caURL, path.Base(accountList[0]))
+	account, err := am.loadOrCreateAccount(ctx, caURL, path.Base(accountList[0]))
 	if err != nil {
 		return "", false
 	}

account_test.go

@@ -210,7 +210,7 @@ func TestSaveAccount(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error saving account: %v", err)
 	}
-	_, err = am.getAccount(ctx, am.CA, email)
+	_, err = am.loadOrCreateAccount(ctx, am.CA, email)
 	if err != nil {
 		t.Errorf("Cannot access account data, error: %v", err)
 	}
@@ -228,7 +228,7 @@ func TestGetAccountDoesNotAlreadyExist(t *testing.T) {
 	}
 	am.config = testConfig
 
-	account, err := am.getAccount(ctx, am.CA, "account_does_not_exist@foobar.com")
+	account, err := am.loadOrCreateAccount(ctx, am.CA, "account_does_not_exist@foobar.com")
 	if err != nil {
 		t.Fatalf("Error getting account: %v", err)
 	}
@@ -271,7 +271,7 @@ func TestGetAccountAlreadyExists(t *testing.T) {
 	}
 
 	// Expect to load account from disk
-	loadedAccount, err := am.getAccount(ctx, am.CA, email)
+	loadedAccount, err := am.loadOrCreateAccount(ctx, am.CA, email)
 	if err != nil {
 		t.Fatalf("Error getting account: %v", err)
 	}

acmeclient.go

@@ -55,23 +55,7 @@ func (iss *ACMEIssuer) newACMEClientWithAccount(ctx context.Context, useTestCA,
 	// we try loading the account from storage before a potential
 	// lock, and after obtaining the lock as well, to ensure we don't
 	// repeat work done by another instance or goroutine
-	getAccount := func() (acme.Account, error) {
-		// look up or create the ACME account
-		var account acme.Account
-		if iss.AccountKeyPEM != "" {
-			iss.Logger.Info("using configured ACME account")
-			account, err = iss.GetAccount(ctx, []byte(iss.AccountKeyPEM))
-		} else {
-			account, err = iss.getAccount(ctx, client.Directory, iss.getEmail())
-		}
-		if err != nil {
-			return acme.Account{}, fmt.Errorf("getting ACME account: %v", err)
-		}
-		return account, nil
-	}
-
-	// first try getting the account
-	account, err := getAccount()
+	account, err := iss.getAccountToUse(ctx, client.Directory)
 	if err != nil {
 		return nil, err
 	}
@@ -95,7 +79,7 @@ func (iss *ACMEIssuer) newACMEClientWithAccount(ctx context.Context, useTestCA,
 		}()
 
 		// if we're not the only one waiting for this account, then by this point it should already be registered and in storage; reload it
-		account, err = getAccount()
+		account, err = iss.getAccountToUse(ctx, client.Directory)
 		if err != nil {
 			return nil, err
 		}
@@ -207,26 +191,34 @@ func (iss *ACMEIssuer) newACMEClient(useTestCA bool) (*acmez.Client, error) {
 	if iss.DNS01Solver == nil {
 		// enable HTTP-01 challenge
 		if !iss.DisableHTTPChallenge {
-			client.ChallengeSolvers[acme.ChallengeTypeHTTP01] = distributedSolver{
-				storage:                iss.config.Storage,
-				storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory),
-				solver: &httpSolver{
-					handler: iss.HTTPChallengeHandler(http.NewServeMux()),
-					address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getHTTPPort())),
-				},
+			var solver acmez.Solver = &httpSolver{
+				handler: iss.HTTPChallengeHandler(http.NewServeMux()),
+				address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getHTTPPort())),
+			}
+			if !iss.DisableDistributedSolvers {
+				solver = distributedSolver{
+					storage:                iss.config.Storage,
+					storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory),
+					solver:                 solver,
+				}
 			}
+			client.ChallengeSolvers[acme.ChallengeTypeHTTP01] = solver
 		}
 
 		// enable TLS-ALPN-01 challenge
 		if !iss.DisableTLSALPNChallenge {
-			client.ChallengeSolvers[acme.ChallengeTypeTLSALPN01] = distributedSolver{
-				storage:                iss.config.Storage,
-				storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory),
-				solver: &tlsALPNSolver{
-					config:  iss.config,
-					address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getTLSALPNPort())),
-				},
+			var solver acmez.Solver = &tlsALPNSolver{
+				config:  iss.config,
+				address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getTLSALPNPort())),
+			}
+			if !iss.DisableDistributedSolvers {
+				solver = distributedSolver{
+					storage:                iss.config.Storage,
+					storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory),
+					solver:                 solver,
+				}
 			}
+			client.ChallengeSolvers[acme.ChallengeTypeTLSALPN01] = solver
 		}
 	} else {
 		// use DNS challenge exclusively

acmeissuer.go

@@ -93,6 +93,15 @@ type ACMEIssuer struct {
 	// Disable all TLS-ALPN challenges
 	DisableTLSALPNChallenge bool
 
+	// Disable distributed solving; avoids writing
+	// challenge info to storage backend and will
+	// only use data in memory to solve the HTTP and
+	// TLS-ALPN challenges; will still attempt to
+	// solve distributed HTTP challenges blindly by
+	// using available account and challenge token
+	// as read from request URI
+	DisableDistributedSolvers bool
+
 	// The host (ONLY the host, not port) to listen
 	// on if necessary to start a listener to solve
 	// an ACME challenge
@@ -340,7 +349,7 @@ func (iss *ACMEIssuer) isAgreed() bool {
 // IP certificates via ACME are defined in RFC 8738.
 func (am *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error {
 	publicCAsAndIPCerts := map[string]bool{ // map of public CAs to whether they support IP certificates (last updated: Q1 2024)
-		"api.letsencrypt.org": true, // https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
+		"api.letsencrypt.org": true,  // https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
 		"acme.zerossl.com":    false, // only supported via their API, not ACME endpoint
 		"api.pki.goog":        true,  // https://pki.goog/faq/#faq-IPCerts
 		"api.buypass.com":     false, // https://community.buypass.com/t/h7hm76w/buypass-support-for-rfc-8738

config.go

@@ -1158,20 +1158,29 @@ func (cfg *Config) TLSConfig() *tls.Config {
 	}
 }
 
-// getChallengeInfo loads the challenge info from either the internal challenge memory
+// getACMEChallengeInfo loads the challenge info from either the internal challenge memory
 // or the external storage (implying distributed solving). The second return value
 // indicates whether challenge info was loaded from external storage. If true, the
 // challenge is being solved in a distributed fashion; if false, from internal memory.
 // If no matching challenge information can be found, an error is returned.
-func (cfg *Config) getChallengeInfo(ctx context.Context, identifier string) (Challenge, bool, error) {
+func (cfg *Config) getACMEChallengeInfo(ctx context.Context, identifier string, allowDistributed bool) (Challenge, bool, error) {
 	// first, check if our process initiated this challenge; if so, just return it
 	chalData, ok := GetACMEChallenge(identifier)
 	if ok {
 		return chalData, false, nil
 	}
 
+	// if distributed solving is disabled, and we don't have it in memory, return an error
+	if !allowDistributed {
+		return Challenge{}, false, fmt.Errorf("distributed solving disabled and no challenge information found internally for identifier: %s", identifier)
+	}
+
 	// otherwise, perhaps another instance in the cluster initiated it; check
-	// the configured storage to retrieve challenge data
+	// the configured storage to retrieve challenge data (requires storage)
+
+	if cfg.Storage == nil {
+		return Challenge{}, false, errors.New("challenge was not initiated internally and no storage is configured for distributed solving")
+	}
 
 	var chalInfo acme.Challenge
 	var chalInfoBytes []byte

go.mod

@@ -6,22 +6,22 @@ toolchain go1.24.0
 
 require (
 	github.com/caddyserver/zerossl v0.1.3
-	github.com/klauspost/cpuid/v2 v2.2.10
-	github.com/libdns/libdns v1.0.0
-	github.com/mholt/acmez/v3 v3.1.2
-	github.com/miekg/dns v1.1.63
+	github.com/klauspost/cpuid/v2 v2.3.0
+	github.com/libdns/libdns v1.1.1
+	github.com/mholt/acmez/v3 v3.1.3
+	github.com/miekg/dns v1.1.68
 	github.com/zeebo/blake3 v0.2.4
 	go.uber.org/zap v1.27.0
 	go.uber.org/zap/exp v0.3.0
-	golang.org/x/crypto v0.36.0
-	golang.org/x/net v0.38.0
+	golang.org/x/crypto v0.41.0
+	golang.org/x/net v0.43.0
 )
 
 require (
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 )

go.sum

@@ -4,14 +4,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA=
-github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
-github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
-github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
-github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
+github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
+github.com/mholt/acmez/v3 v3.1.3 h1:gUl789rjbJSuM5hYzOFnNaGgWPV1xVfnOs59o0dZEcc=
+github.com/mholt/acmez/v3 v3.1.3/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
+github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
@@ -30,19 +30,19 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

handshake.go

@@ -853,7 +853,7 @@ func (cfg *Config) getCertFromAnyCertManager(ctx context.Context, hello *tls.Cli
 // solving). True is returned if the challenge is being solved distributed (there
 // is no semantic difference with distributed solving; it is mainly for logging).
 func (cfg *Config) getTLSALPNChallengeCert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, bool, error) {
-	chalData, distributed, err := cfg.getChallengeInfo(clientHello.Context(), clientHello.ServerName)
+	chalData, distributed, err := cfg.getACMEChallengeInfo(clientHello.Context(), clientHello.ServerName, true)
 	if err != nil {
 		return nil, distributed, err
 	}