mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: acme: fix stalled renewal when opportunistic DNS check fails

Browse Source 
In ACME_INITIAL_RSLV_READY, when the opportunistic DNS propagation check
fails and the code falls back to ACME_CLI_WAIT, ACME_RDY_INITIAL_DNS was
left set in cond_ready. Since the CLI-wait path only ever sets ACME_RDY_CLI
on auth->ready, the readiness check in ACME_CLI_WAIT could never be
satisfied, permanently stalling certificate renewal.

Fix this by stripping ACME_RDY_INITIAL_DNS from cond_ready before falling
back to the regular CLI-wait flow. Also replace the &= with a plain
assignment in the success path to make the intent explicit.

No backport needed, 3.4 only.
This commit is contained in:
William Lallemand 2026-04-30 20:24:59 +02:00 committed by William Lallemand
parent 63f853957a
commit 71267bc6a5
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/acme.c
View File

@ -2604,12 +2604,13 @@ re:
/* opportunistic validation, don't do the
* cond_ready steps */
st = ACME_CHALLENGE;
ctx->cfg->cond_ready &= ACME_RDY_INITIAL_DNS;
ctx->cfg->cond_ready = ACME_RDY_INITIAL_DNS;
ctx->next_auth = ctx->auths;
goto nextreq;
}
/* opportunistic DNS check failed, try the ready_cond */
/* opportunistic DNS check failed, try the ready_cond, remove initial dns as a condition */
ctx->cfg->cond_ready &= ~ACME_RDY_INITIAL_DNS;
st = ACME_CLI_WAIT;
goto nextreq;
}