From 53238c70f7a12e233a6ca83cf2b50168e5b9592e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 25 Apr 2023 10:51:36 +0200 Subject: =?UTF-8?q?client:=20Handle=20"ready"=20=E2=86=92=20"processing"?= =?UTF-8?q?=20=E2=86=92=20"valid"=20status=20change=20during=20newOrder.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of just "ready" → "valid", which may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. It appears Let's Encrypt staging environment now has different timing conditions and lacme is unable to request certificates due to this issue. Thanks to Alexander Borkowski for the report! --- client | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/client b/client index 3cda821..01c7e5a 100755 --- a/client +++ b/client @@ -346,11 +346,12 @@ elsif ($COMMAND eq 'newOrder') { } # poll the order URL (to get the status of all challenges at once) - # until the status become 'valid' + # until the status become 'valid'; see RFC 8555 sec. 7.1.6 for the + # the status change flow my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers); my $certuri; - for (my $i = 0;;) { - my $r = acme($orderurl); + for (my $i = 0, my $url = $orderurl, my $payload;;) { + my $r = acme($url => $payload); my $resp = request_json_decode($r); if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) my $msg = $problem->{status}; @@ -361,19 +362,21 @@ elsif ($COMMAND eq 'newOrder') { my $status = $resp->{status}; if (!defined $status or $status eq "invalid") { die "Error: Invalid order $orderstr\n"; - } - elsif ($status eq "ready") { - my $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); - my $resp = request_json_decode($r); - $certuri = $resp->{certificate}; - last; - } - elsif ($status eq "valid") { + } elsif ($status eq "pending") { + # keep retrying + } elsif ($status eq "ready") { + $url = $order->{finalize}; + $payload = {csr => encode_base64url($csr)}; + # retry after moving to "processing" or "valid" state + next; + } elsif ($status eq "processing") { + $url = $orderurl; + undef $payload; + } elsif ($status eq "valid") { $certuri = $resp->{certificate} // die "Error: Missing \"certificate\" field in \"valid\" order\n"; last; - } - elsif ($status ne "pending" and $status ne "processing") { + } else { warn "Unknown order status: $status\n"; } -- cgit v1.2.3 From 5d9d1ce570c0fa613e1dc2345047a0ff95f781c5 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 25 Apr 2023 11:59:39 +0200 Subject: tests: Point stretch's archive URL to archive.d.o. See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org . --- tests/old-accountd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/old-accountd b/tests/old-accountd index abd330d..3ad4b31 100644 --- a/tests/old-accountd +++ b/tests/old-accountd @@ -12,7 +12,7 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF privkey = file:/etc/lacme/account.key EOF -echo "deb http://deb.debian.org/debian stretch main" >>/etc/apt/sources.list +echo "deb http://archive.debian.org/debian stretch main" >>/etc/apt/sources.list DEBIAN_FRONTEND="noninteractive" apt update DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \ --reinstall --allow-downgrades \ -- cgit v1.2.3 From c80a2530eb014b34a314e078fec2589bc7969e33 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 25 Apr 2023 20:06:22 +0200 Subject: Prepare new release v0.8.2. --- Changelog | 11 +++++++++++ client | 2 +- lacme | 2 +- lacme-accountd | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index fc658bf..2863d18 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,14 @@ +lacme (0.8.2) upstream; + + + client: Handle "ready" → "processing" → "valid" status change during + newOrder, instead of just "ready" → "valid". The latter may be what + we observe when the server is fast enough, but according to RFC 8555 + sec. 7.1.6 the state actually transitions via "processing" state and + we need to account for that. + - Test suite: Point stretch's archive URL to archive.d.o. + + -- Guilhem Moulin Tue, 25 Apr 2023 20:06:22 +0200 + lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. diff --git a/client b/client index 01c7e5a..d993518 100755 --- a/client +++ b/client @@ -43,7 +43,7 @@ use warnings; # instance own by another user and created with umask 0177) is not a # problem since SOCKET_FD can be bound as root prior to the execve(2). -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $PROTOCOL_VERSION = 1; my $NAME = 'lacme-client'; diff --git a/lacme b/lacme index 21a184c..6284c66 100755 --- a/lacme +++ b/lacme @@ -22,7 +22,7 @@ use v5.14.2; use strict; use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $NAME = 'lacme'; use Errno 'EINTR'; diff --git a/lacme-accountd b/lacme-accountd index a9f5469..8d2c599 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -23,7 +23,7 @@ use v5.14.2; use strict; use warnings; -our $VERSION = '0.8.1'; +our $VERSION = '0.8.2'; my $PROTOCOL_VERSION = 1; my $NAME = 'lacme-accountd'; -- cgit v1.2.3