Google Git
Sign in
go/crypto/master^!/.
commit
a408498e55412f2ae2a058336f78889fb1ba6115
[log] [tgz]
author
Sean Liao <sean@liao.dev>
Sun Nov 09 12:55:47 2025 +0000
committer
Sean Liao <sean@liao.dev>
Fri Feb 13 09:12:11 2026 -0800
tree
9bb721b4642324d10b8184b4429eef82c8d4c1eb
parent
cab0f718548e8a858701b7b48161f44748532f58 [diff]
acme: only require prompt if server has terms of service

Fixes golang/go#64881

Change-Id: I2b4415e6f987aab258c26c090ac7b1a465aa1697
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719001
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index cde9066..69461e3 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go

@@ -248,10 +248,6 @@
 // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will
 // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler for http-01.
 func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if m.Prompt == nil {
-		return nil, errors.New("acme/autocert: Manager.Prompt not set")
-	}
-
 	name := hello.ServerName
 	if name == "" {
 		return nil, errors.New("acme/autocert: missing server name")

diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
index 8ca8e2b..d9f19c2 100644
--- a/acme/autocert/autocert_test.go
+++ b/acme/autocert/autocert_test.go

@@ -201,7 +201,7 @@
 			prepare: func(t *testing.T, man *Manager, s *acmetest.CAServer) {
 				man.Prompt = nil
 			},
-			expectError: "Manager.Prompt not set",
+			expectError: "missing Manager.Prompt",
 		},
 		{
 			name:   "trailingDot",

diff --git a/acme/autocert/internal/acmetest/ca.go b/acme/autocert/internal/acmetest/ca.go
index c7ddd3d..c80a81c 100644
--- a/acme/autocert/internal/acmetest/ca.go
+++ b/acme/autocert/internal/acmetest/ca.go

@@ -239,7 +239,8 @@
 }
 
 type discoveryMeta struct {
-	ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"`
+	Terms                   string `json:"termsOfService,omitempty"`
+	ExternalAccountRequired bool   `json:"externalAccountRequired,omitempty"`
 }
 
 type challenge struct {
@@ -281,6 +282,7 @@
 			NewAccount: ca.serverURL("/new-account"),
 			NewOrder:   ca.serverURL("/new-order"),
 			Meta: discoveryMeta{
+				Terms:                   ca.serverURL("/terms"),
 				ExternalAccountRequired: ca.eabRequired,
 			},
 		}

diff --git a/acme/rfc8555.go b/acme/rfc8555.go
index 976b277..1fb110e 100644
--- a/acme/rfc8555.go
+++ b/acme/rfc8555.go

@@ -53,6 +53,9 @@
 		Contact: acct.Contact,
 	}
 	if c.dir.Terms != "" {
+		if prompt == nil {
+			return nil, errors.New("acme: missing Manager.Prompt to accept server's terms of service")
+		}
 		req.TermsAgreed = prompt(c.dir.Terms)
 	}