From: William Lallemand Date: Wed, 10 Jun 2026 16:06:57 +0000 (+0200) Subject: BUG/MEDIUM: acme: stuck ACME task when authz is already "valid" X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a90ff6b3da92aab23949fca221702989dfe7fa9;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: acme: stuck ACME task when authz is already "valid" When an ACME order is re-used or when a domain was recently validated, the CA may return status "valid" for an authorization without requiring any challenge to be solved. In acme_res_auth(), this is handled by setting auth->validated = 1 and jumping to out — but auth->ready is never initialized and stays 0. This became a bug in 3.4 when the "challenge-ready" option and the ACME_CLI_WAIT state were introduced (commit 2b0c510aff). ACME_CLI_WAIT computes: all_cond_ready &= auth->ready; across all authorizations. A single auth->ready == 0 drives the AND to zero and the task waits indefinitely for a readiness signal that will never arrive, since no challenge was published and no external agent will ever call challenge_ready() for that domain. Fix it by setting auth->ready = ctx->cfg->cond_ready for already-valid authorizations, marking them as satisfying all required readiness conditions so ACME_CLI_WAIT can proceed normally. This should be backported to 3.4. --- diff --git a/src/acme.c b/src/acme.c index 7875f11e8..ccb54155f 100644 --- a/src/acme.c +++ b/src/acme.c @@ -2028,6 +2028,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut /* if auth is already valid we need to skip solving challenges */ if (strncasecmp("valid", trash.area, trash.data) == 0) { auth->validated = 1; + auth->ready = ctx->cfg->cond_ready; /* no challenge needed, satisfy all readiness conditions */ goto out; }