From b2245e698e4c75f04b50d0da1b659a267ca8f64f Mon Sep 17 00:00:00 2001
From: Kong Team Gateway Bot
 <98048765+team-gateway-bot@users.noreply.github.com>
Date: Thu, 28 Mar 2024 02:42:15 -0700
Subject: [PATCH] fix(plugins/acme): fix certificate renew failure issue
 (#12801)

Using client.renew_certificate directly as the callback function in ngx_timer_at
causes the parameter value to not be the plugin's config.

KAG-4008

Co-authored-by: Niklaus Schen <8458369+Water-Melon@users.noreply.github.com>
---
 changelog/unreleased/kong/fix-acme-renewal-bug.yml |  3 +++
 kong/plugins/acme/api.lua                          |  2 +-
 kong/plugins/acme/handler.lua                      |  3 +++
 spec/03-plugins/29-acme/01-client_spec.lua         | 12 ++++++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/kong/fix-acme-renewal-bug.yml

diff --git a/changelog/unreleased/kong/fix-acme-renewal-bug.yml b/changelog/unreleased/kong/fix-acme-renewal-bug.yml
new file mode 100644
index 000000000000..bd033c6de975
--- /dev/null
+++ b/changelog/unreleased/kong/fix-acme-renewal-bug.yml
@@ -0,0 +1,3 @@
+message: "**ACME**: Fixed an issue where the certificate was not successfully renewed during ACME renewal."
+type: bugfix
+scope: Plugin
diff --git a/kong/plugins/acme/api.lua b/kong/plugins/acme/api.lua
index 1f0852a1d90d..7323aa432d88 100644
--- a/kong/plugins/acme/api.lua
+++ b/kong/plugins/acme/api.lua
@@ -125,7 +125,7 @@ return {
     end,
 
     PATCH = function()
-      ngx_timer_at(0, client.renew_certificate)
+      ngx_timer_at(0, handler.renew)
       return kong.response.exit(202, { message = "Renewal process started successfully" })
     end,
   },
diff --git a/kong/plugins/acme/handler.lua b/kong/plugins/acme/handler.lua
index 58cf7fa6000a..506ca8cf5ab9 100644
--- a/kong/plugins/acme/handler.lua
+++ b/kong/plugins/acme/handler.lua
@@ -82,6 +82,9 @@ local function renew(premature)
 end
 
 
+ACMEHandler.renew = renew
+
+
 function ACMEHandler:init_worker()
   local worker_id = ngx.worker.id()
   kong.log.info("acme renew timer started on worker ", worker_id)
diff --git a/spec/03-plugins/29-acme/01-client_spec.lua b/spec/03-plugins/29-acme/01-client_spec.lua
index f77b712201fa..75787ad65861 100644
--- a/spec/03-plugins/29-acme/01-client_spec.lua
+++ b/spec/03-plugins/29-acme/01-client_spec.lua
@@ -452,6 +452,18 @@ for _, strategy in ipairs({"off"}) do
         assert.is_nil(err)
         assert.is_falsy(renew)
       end)
+
+      it("calling handler.renew with a false argument should be successful", function()
+        local handler = require("kong.plugins.acme.handler")
+        handler:configure({{domains = {"example.com"}}})
+
+        local original = client.renew_certificate
+        client.renew_certificate = function (config)
+          print("mock renew_certificate")
+        end
+        handler.renew(false)
+        client.renew_certificate = original
+      end)
     end)
 
   end)