From 71267bc6a504fa7cfabf265c4eff9a9e4eb431ed Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@irq6.net>
Date: Thu, 30 Apr 2026 20:24:59 +0200
Subject: [PATCH] BUG/MEDIUM: acme: fix stalled renewal when opportunistic DNS
 check fails

In ACME_INITIAL_RSLV_READY, when the opportunistic DNS propagation check
fails and the code falls back to ACME_CLI_WAIT, ACME_RDY_INITIAL_DNS was
left set in cond_ready. Since the CLI-wait path only ever sets ACME_RDY_CLI
on auth->ready, the readiness check in ACME_CLI_WAIT could never be
satisfied, permanently stalling certificate renewal.

Fix this by stripping ACME_RDY_INITIAL_DNS from cond_ready before falling
back to the regular CLI-wait flow. Also replace the &= with a plain
assignment in the success path to make the intent explicit.

No backport needed, 3.4 only.
---
 src/acme.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/acme.c b/src/acme.c
index 5d5bfa7d3..9f60e9073 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2604,12 +2604,13 @@ re:
 				/* opportunistic validation, don't do the
 				 * cond_ready steps */
 				st = ACME_CHALLENGE;
-				ctx->cfg->cond_ready &= ACME_RDY_INITIAL_DNS;
+				ctx->cfg->cond_ready = ACME_RDY_INITIAL_DNS;
 				ctx->next_auth = ctx->auths;
 				goto nextreq;
 			}
 
-			/* opportunistic DNS check failed, try the ready_cond */
+			/* opportunistic DNS check failed, try the ready_cond, remove initial dns as a condition */
+			ctx->cfg->cond_ready &= ~ACME_RDY_INITIAL_DNS;
 			st = ACME_CLI_WAIT;
 			goto nextreq;
 		}