diff options
| -rw-r--r-- | Changelog | 11 | ||||
| -rwxr-xr-x | client | 31 | ||||
| -rwxr-xr-x | lacme | 2 | ||||
| -rwxr-xr-x | lacme-accountd | 2 | ||||
| -rw-r--r-- | tests/old-accountd | 2 | 
5 files changed, 31 insertions, 17 deletions
| @@ -1,3 +1,14 @@ +lacme (0.8.2) upstream; + +  + client: Handle "ready" → "processing" → "valid" status change during +    newOrder, instead of just "ready" → "valid".  The latter may be what +    we observe when the server is fast enough, but according to RFC 8555 +    sec. 7.1.6 the state actually transitions via "processing" state and +    we need to account for that. +  - Test suite: Point stretch's archive URL to archive.d.o. + + -- Guilhem Moulin <guilhem@fripost.org>  Tue, 25 Apr 2023 20:06:22 +0200 +  lacme (0.8.1) upstream;   + lacme-accountd: improve log messages and refactor logging logic. @@ -43,7 +43,7 @@ use warnings;  # instance own by another user and created with umask 0177) is not a  # problem since SOCKET_FD can be bound as root prior to the execve(2). -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2';  my $PROTOCOL_VERSION = 1;  my $NAME = 'lacme-client'; @@ -346,11 +346,12 @@ elsif ($COMMAND eq 'newOrder') {      }      # poll the order URL (to get the status of all challenges at once) -    # until the status become 'valid' +    # until the status become 'valid'; see RFC 8555 sec. 7.1.6 for the +    # the status change flow      my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers);      my $certuri; -    for (my $i = 0;;) { -        my $r = acme($orderurl); +    for (my $i = 0, my $url = $orderurl, my $payload;;) { +        my $r = acme($url => $payload);          my $resp = request_json_decode($r);          if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)              my $msg = $problem->{status}; @@ -361,19 +362,21 @@ elsif ($COMMAND eq 'newOrder') {          my $status = $resp->{status};          if (!defined $status or $status eq "invalid") {              die "Error: Invalid order $orderstr\n"; -        } -        elsif ($status eq "ready") { -            my $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); -            my $resp = request_json_decode($r); -            $certuri = $resp->{certificate}; -            last; -        } -        elsif ($status eq "valid") { +        } elsif ($status eq "pending") { +            # keep retrying +        } elsif ($status eq "ready") { +            $url = $order->{finalize}; +            $payload = {csr => encode_base64url($csr)}; +            # retry after moving to "processing" or "valid" state +            next; +        } elsif ($status eq "processing") { +            $url = $orderurl; +            undef $payload; +        } elsif ($status eq "valid") {              $certuri = $resp->{certificate} //                  die "Error: Missing \"certificate\" field in \"valid\" order\n";              last; -        } -        elsif ($status ne "pending" and $status ne "processing") { +        } else {              warn "Unknown order status: $status\n";          } @@ -22,7 +22,7 @@ use v5.14.2;  use strict;  use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2';  my $NAME = 'lacme';  use Errno 'EINTR'; diff --git a/lacme-accountd b/lacme-accountd index a9f5469..8d2c599 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -23,7 +23,7 @@ use v5.14.2;  use strict;  use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2';  my $PROTOCOL_VERSION = 1;  my $NAME = 'lacme-accountd'; diff --git a/tests/old-accountd b/tests/old-accountd index abd330d..3ad4b31 100644 --- a/tests/old-accountd +++ b/tests/old-accountd @@ -12,7 +12,7 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF  	privkey = file:/etc/lacme/account.key  EOF -echo "deb http://deb.debian.org/debian stretch main" >>/etc/apt/sources.list +echo "deb http://archive.debian.org/debian stretch main" >>/etc/apt/sources.list  DEBIAN_FRONTEND="noninteractive" apt update  DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \      --reinstall --allow-downgrades \ | 
