Re: acme-client doesn't handle order state "processing"

Mon, 19 May 2025 01:31:24 -0700 

On 2025-03-12 12:00 GMT, Stuart Henderson <[email protected]> wrote:
> Sorry I don't have a diff for this.
>
> I just had a renewal on letsencrypt staging fail; status went from
> PENDING->READY->PROCESSING when acme-client netproc was expecting only
> INVALID/VALID/PENDING/READY.
>
> From https://www.rfc-editor.org/rfc/rfc8555#page-48
>
>    o  "processing": The certificate is being issued.  Send a POST-as-GET
>       request after the time given in the Retry-After header field of
>       the response, if any.

Excellent, no normative language around Retry-After, so I can totally
ignore that!

Good call on limiting the retries. I've also added it to ORDER_PENDING
and reset the counter if we make some forward progress.

I'm wondering if the retry limit should be a global thing, no matter
what the state is. I'll leave that as an exercise for future
generations...

I could fairly easily trigger the processing state against the staging
environment, happens about 1 in 5 times.

OK?

diff --git netproc.c netproc.c
index f67f8abc0b3..916086f6e0d 100644
--- netproc.c
+++ netproc.c
@@ -673,7 +673,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
rfd,
     int revocate, struct authority_c *authority,
     const char *const *alts, size_t altsz)
 {
-       int              rc = 0;
+       int              rc = 0, retries = 0;
        size_t           i;
        char            *cert = NULL, *thumb = NULL, *error = NULL;
        struct conn      c;
@@ -863,6 +863,9 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
rfd,
                        if (!docert(&c, order.finalize, cert))
                                goto out;
                        break;
+               case ORDER_PROCESSING:
+                       /* we'll just retry */
+                       break;
                default:
                        warnx("unhandled status: %d", order.status);
                        goto out;
@@ -871,8 +874,19 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
rfd,
                        goto out;
 
                dodbg("order.status %d", order.status);
-               if (order.status == ORDER_PENDING)
+               switch (order.status) {
+               case ORDER_PENDING:
+               case ORDER_PROCESSING:
+                       if (retries++ > RETRY_MAX) {
+                               warnx("too many retries");
+                               goto out;
+                       }
                        sleep(RETRY_DELAY);
+                       break;
+               default:
+                       retries = 0; /* state changed, we made progress */
+                       break;
+               }
        }
 
        if (order.status != ORDER_VALID) {


-- 
In my defence, I have been left unsupervised.

Reply via email to