Re: acme-client doesn't handle order state "processing"

Mon, 19 May 2025 07:26:22 -0700 

On 2025/05/19 10:30, Florian Obser wrote:
> On 2025-03-12 12:00 GMT, Stuart Henderson <[email protected]> wrote:
> > Sorry I don't have a diff for this.
> >
> > I just had a renewal on letsencrypt staging fail; status went from
> > PENDING->READY->PROCESSING when acme-client netproc was expecting only
> > INVALID/VALID/PENDING/READY.
> >
> > From https://www.rfc-editor.org/rfc/rfc8555#page-48
> >
> >    o  "processing": The certificate is being issued.  Send a POST-as-GET
> >       request after the time given in the Retry-After header field of
> >       the response, if any.
> 
> Excellent, no normative language around Retry-After, so I can totally
> ignore that!
> 
> Good call on limiting the retries. I've also added it to ORDER_PENDING
> and reset the counter if we make some forward progress.
> 
> I'm wondering if the retry limit should be a global thing, no matter
> what the state is. I'll leave that as an exercise for future
> generations...
> 
> I could fairly easily trigger the processing state against the staging
> environment, happens about 1 in 5 times.
> 
> OK?

Thanks, this seems good enough for now. OK

> diff --git netproc.c netproc.c
> index f67f8abc0b3..916086f6e0d 100644
> --- netproc.c
> +++ netproc.c
> @@ -673,7 +673,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
> rfd,
>      int revocate, struct authority_c *authority,
>      const char *const *alts, size_t altsz)
>  {
> -     int              rc = 0;
> +     int              rc = 0, retries = 0;
>       size_t           i;
>       char            *cert = NULL, *thumb = NULL, *error = NULL;
>       struct conn      c;
> @@ -863,6 +863,9 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
> rfd,
>                       if (!docert(&c, order.finalize, cert))
>                               goto out;
>                       break;
> +             case ORDER_PROCESSING:
> +                     /* we'll just retry */
> +                     break;
>               default:
>                       warnx("unhandled status: %d", order.status);
>                       goto out;
> @@ -871,8 +874,19 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int 
> rfd,
>                       goto out;
>  
>               dodbg("order.status %d", order.status);
> -             if (order.status == ORDER_PENDING)
> +             switch (order.status) {
> +             case ORDER_PENDING:
> +             case ORDER_PROCESSING:
> +                     if (retries++ > RETRY_MAX) {
> +                             warnx("too many retries");
> +                             goto out;
> +                     }
>                       sleep(RETRY_DELAY);
> +                     break;
> +             default:
> +                     retries = 0; /* state changed, we made progress */
> +                     break;
> +             }
>       }
>  
>       if (order.status != ORDER_VALID) {
> 
> 
> -- 
> In my defence, I have been left unsupervised.
>

Reply via email to