BUG/MEDIUM: acme: stuck ACME task when authz is already "valid"

When an ACME order is re-used or when a domain was recently validated,
the CA may return status "valid" for an authorization without requiring
any challenge to be solved.  In acme_res_auth(), this is handled by
setting auth->validated = 1 and jumping to out — but auth->ready is
never initialized and stays 0.

This became a bug in 3.4 when the "challenge-ready" option and the
ACME_CLI_WAIT state were introduced (commit 2b0c510aff).  ACME_CLI_WAIT
computes:

    all_cond_ready &= auth->ready;

across all authorizations.  A single auth->ready == 0 drives the AND
to zero and the task waits indefinitely for a readiness signal that
will never arrive, since no challenge was published and no external
agent will ever call challenge_ready() for that domain.

Fix it by setting auth->ready = ctx->cfg->cond_ready for already-valid
authorizations, marking them as satisfying all required readiness
conditions so ACME_CLI_WAIT can proceed normally.

This should be backported to 3.4.

diff --git a/src/acme.c b/src/acme.c
index 7875f11e8b68fb58adf80378af0d58291e5a7a1b..ccb54155f98366493188a84540974925ba274022 100644 (file)
--- a/src/acme.c
+++ b/src/acme.c
@@ -2028,6 +2028,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut
        /* if auth is already valid we need to skip solving challenges */
        if (strncasecmp("valid", trash.area, trash.data) == 0) {
                auth->validated = 1;
+               auth->ready = ctx->cfg->cond_ready; /* no challenge needed, satisfy all readiness conditions */
                goto out;
        }