From a65e746406d40a6eef7728ee28033f6e43d06160 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Mon, 1 May 2023 16:18:18 -0400 Subject: [PATCH] Update ACME order status on order fetch (#20451) - When someone is fetching the order to get it's status, compute if we need to bump the status to Ready like we do in finalize handler - Add a wait state to the ACME docker test suite to deal with a race condition --- builtin/logical/pki/path_acme_order.go | 7 +++++++ builtin/logical/pkiext/pkiext_binary/acme_test.go | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/builtin/logical/pki/path_acme_order.go b/builtin/logical/pki/path_acme_order.go index 20590a2753..60cb2d0db3 100644 --- a/builtin/logical/pki/path_acme_order.go +++ b/builtin/logical/pki/path_acme_order.go @@ -512,6 +512,13 @@ func (b *backend) acmeGetOrderHandler(ac *acmeContext, _ *logical.Request, field return nil, err } + if order.Status == ACMEOrderPending { + // Lets see if we can update our order status to ready if all the authorizations have been completed. + if requiredAuthorizationsCompleted(b, ac, uc, order) { + order.Status = ACMEOrderReady + } + } + // Per RFC 8555 -> 7.1.3. Order Objects // For final orders (in the "valid" or "invalid" state), the authorizations that were completed. // diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index 252e405e7d..ccf3081b92 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -276,7 +276,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI func(tosURL string) bool { return true }) require.NoError(t, err, "failed registering account") - // Create an ACME order that + // Create an ACME order order, err := acmeClient.AuthorizeOrder(testCtx, acmeOrderIdentifiers) require.NoError(t, err, "failed creating ACME order") @@ -324,6 +324,10 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI require.NoError(t, err, "failed to accept challenge: %v", challenge) } + // Wait for the order/challenges to be validated. + _, err = acmeClient.WaitOrder(testCtx, order.URI) + require.NoError(t, err, "failed waiting for order to be ready") + // Create/sign the CSR and ask ACME server to sign it returning us the final certificate csrKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) csr, err := x509.CreateCertificateRequest(rand.Reader, cr, csrKey)