fixed logic to check status from our challenge

the old code had a problem and would interpret a challenge that
returned "pending" and then "invalid" as valid.

This code actually has another problem. The RFC defines:

"status (optional, string):  The status of this authorization.
 Possible values are: "pending", "valid", and "invalid".  If this
 field is missing, then the default value is "pending"."

So actually the correct way to implement this would be:

while [[ -z "${status}" ]] || [[ "${status}" = "pending" ]]; do

But without further checks this might lead to an endless loop. So this
is "good enough(tm)". ;)

diff --git a/letsencrypt.sh b/letsencrypt.sh
index ad2e7bbac56ac211ee29ced5f1e0a0f4cb95fbee..f6c9b2c961f5dd415706be7ccbe465f4743f41b6 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -141,17 +141,20 @@ sign_domain() {
     result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
 
     status="$(printf '%s\n' "${result}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)"
-    if [[ ! "${status}" = "pending" ]] && [[ ! "${status}" = "valid" ]]; then
-      echo "  + Challenge is invalid! (${result})"
-      exit 1
-    fi
 
+    # get status until it a result is reached => not pending anymore    
     while [[ "${status}" = "pending" ]]; do
-      status="$(_request get "${challenge_uri}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)"
       sleep 1
+      status="$(_request get "${challenge_uri}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)"
     done
 
-    echo "  + Challenge is valid!"
+    if [[ "${status}" = "valid" ]]; then
+      echo "  + Challenge is valid!"
+    else
+      echo "  + Challenge is invalid! (returned: ${status})"
+      exit 1
+    fi
+
   done
 
   # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem