From 69211b869f289185d6cad64a8d8524e4610b6152 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 15 Apr 2026 16:06:53 +0200
Subject: [PATCH] BUG/MINOR: acme: fix fallback state after failed initial DNS
 check

When the opportunistic initial DNS check (ACME_INITIAL_RSLV_READY) fails,
the state machine was incorrectly transitioning to ACME_RSLV_RETRY_DELAY
instead of ACME_CLI_WAIT. This caused the challenge to enter the DNS retry
loop rather than falling back to the normal cond_ready flow that waits for
the CLI signal.

Also reorder ACME_CLI_WAIT in the state enum and trace switch to reflect
the actual execution order introduced in the previous commit: it comes after
ACME_INITIAL_RSLV_READY, not before ACME_INITIAL_RSLV_TRIGGER.

No backport needed.
---
 include/haproxy/acme-t.h | 2 +-
 src/acme.c               | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/haproxy/acme-t.h b/include/haproxy/acme-t.h
index b12a95be1..091dcd708 100644
--- a/include/haproxy/acme-t.h
+++ b/include/haproxy/acme-t.h
@@ -53,9 +53,9 @@ enum acme_st {
 	ACME_NEWACCOUNT,
 	ACME_NEWORDER,
 	ACME_AUTH,
-	ACME_CLI_WAIT,               /* wait for the ACME_RDY_CLI */
 	ACME_INITIAL_RSLV_TRIGGER,   /* opportunistic DNS check avoid cond_ready steps */
 	ACME_INITIAL_RSLV_READY,
+	ACME_CLI_WAIT,               /* wait for the ACME_RDY_CLI */
 	ACME_INITIAL_DELAY,
 	ACME_RSLV_RETRY_DELAY,
 	ACME_RSLV_TRIGGER,
diff --git a/src/acme.c b/src/acme.c
index 7a392d6d2..6e7976955 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -123,9 +123,9 @@ static void acme_trace(enum trace_level level, uint64_t mask, const struct trace
 			case ACME_NEWACCOUNT:               chunk_appendf(&trace_buf, "ACME_NEWACCOUNT");              break;
 			case ACME_NEWORDER:                 chunk_appendf(&trace_buf, "ACME_NEWORDER");                break;
 			case ACME_AUTH:                     chunk_appendf(&trace_buf, "ACME_AUTH");                    break;
-			case ACME_CLI_WAIT :                chunk_appendf(&trace_buf, "ACME_CLI_WAIT");                break;
 			case ACME_INITIAL_RSLV_TRIGGER:     chunk_appendf(&trace_buf, "ACME_INITIAL_RSLV_TRIGGER");    break;
 			case ACME_INITIAL_RSLV_READY:       chunk_appendf(&trace_buf, "ACME_INITIAL_RSLV_READY");      break;
+			case ACME_CLI_WAIT :                chunk_appendf(&trace_buf, "ACME_CLI_WAIT");                break;
 			case ACME_INITIAL_DELAY:            chunk_appendf(&trace_buf, "ACME_INITIAL_DELAY");           break;
 			case ACME_RSLV_RETRY_DELAY:         chunk_appendf(&trace_buf, "ACME_RSLV_RETRY_DELAY");        break;
 			case ACME_RSLV_TRIGGER:             chunk_appendf(&trace_buf, "ACME_RSLV_TRIGGER");            break;
@@ -2548,7 +2548,7 @@ re:
 			}
 
 			/* opportunistic DNS check failed, try the ready_cond */
-			st = ACME_RSLV_RETRY_DELAY;
+			st = ACME_CLI_WAIT;
 			goto nextreq;
 		}
 		break;