diff options
| -rw-r--r-- | Changelog | 11 | ||||
| -rwxr-xr-x | client | 31 | ||||
| -rwxr-xr-x | lacme | 2 | ||||
| -rwxr-xr-x | lacme-accountd | 2 | ||||
| -rw-r--r-- | tests/old-accountd | 2 |
5 files changed, 31 insertions, 17 deletions
@@ -1,3 +1,14 @@ +lacme (0.8.2) upstream; + + + client: Handle "ready" → "processing" → "valid" status change during + newOrder, instead of just "ready" → "valid". The latter may be what + we observe when the server is fast enough, but according to RFC 8555 + sec. 7.1.6 the state actually transitions via "processing" state and + we need to account for that. + - Test suite: Point stretch's archive URL to archive.d.o. + + -- Guilhem Moulin <guilhem@fripost.org> Tue, 25 Apr 2023 20:06:22 +0200 + lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. @@ -43,7 +43,7 @@ use warnings; # instance own by another user and created with umask 0177) is not a # problem since SOCKET_FD can be bound as root prior to the execve(2). -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $PROTOCOL_VERSION = 1; my $NAME = 'lacme-client'; @@ -346,11 +346,12 @@ elsif ($COMMAND eq 'newOrder') { } # poll the order URL (to get the status of all challenges at once) - # until the status become 'valid' + # until the status become 'valid'; see RFC 8555 sec. 7.1.6 for the + # the status change flow my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers); my $certuri; - for (my $i = 0;;) { - my $r = acme($orderurl); + for (my $i = 0, my $url = $orderurl, my $payload;;) { + my $r = acme($url => $payload); my $resp = request_json_decode($r); if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) my $msg = $problem->{status}; @@ -361,19 +362,21 @@ elsif ($COMMAND eq 'newOrder') { my $status = $resp->{status}; if (!defined $status or $status eq "invalid") { die "Error: Invalid order $orderstr\n"; - } - elsif ($status eq "ready") { - my $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); - my $resp = request_json_decode($r); - $certuri = $resp->{certificate}; - last; - } - elsif ($status eq "valid") { + } elsif ($status eq "pending") { + # keep retrying + } elsif ($status eq "ready") { + $url = $order->{finalize}; + $payload = {csr => encode_base64url($csr)}; + # retry after moving to "processing" or "valid" state + next; + } elsif ($status eq "processing") { + $url = $orderurl; + undef $payload; + } elsif ($status eq "valid") { $certuri = $resp->{certificate} // die "Error: Missing \"certificate\" field in \"valid\" order\n"; last; - } - elsif ($status ne "pending" and $status ne "processing") { + } else { warn "Unknown order status: $status\n"; } @@ -22,7 +22,7 @@ use v5.14.2; use strict; use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $NAME = 'lacme'; use Errno 'EINTR'; diff --git a/lacme-accountd b/lacme-accountd index a9f5469..8d2c599 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -23,7 +23,7 @@ use v5.14.2; use strict; use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $PROTOCOL_VERSION = 1; my $NAME = 'lacme-accountd'; diff --git a/tests/old-accountd b/tests/old-accountd index abd330d..3ad4b31 100644 --- a/tests/old-accountd +++ b/tests/old-accountd @@ -12,7 +12,7 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF privkey = file:/etc/lacme/account.key EOF -echo "deb http://deb.debian.org/debian stretch main" >>/etc/apt/sources.list +echo "deb http://archive.debian.org/debian stretch main" >>/etc/apt/sources.list DEBIAN_FRONTEND="noninteractive" apt update DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \ --reinstall --allow-downgrades \ |