On 07/03/2026 02:21, William Lallemand wrote:
> Hi,
>
> Sorry I didn't had much time to handle this during the past weeks.
>
> I'm not sure what you are trying to do, but I started the rewrite of
acme.c
> with a few bugfixes and cleanup a while ago so that would probably
conflict a
> lot in the future. Unfortunately I was quite busy and didn't finish
it yet.
>
> Regards,
Yeah, no problem.
I'm thinking of this: https://github.com/kanashimia/haproxy/tree/polling-fix
Can you take a quick look at the first commit there? Should be easy to read.
Poll logic that used acme_res_challenge() will use acme_res_auth() instead.
It makes the code of acme_res_auth() quite a bit more messy though,
as auth response contains an array of challenges, so finding a correct one
requires looping, but it is the correct logic.
Though by my testing Pebble always returns a single element array there.
I'm double checking stuff against uacme and lego clients, just to be sureee.
In comparison my previous attempt just skips the two stages,
but doesn't fix the fact that HAProxy polls challenge endpoint.
---
Also acme_res_challenge always read $.error.type but it should be $.type
in case of a nonce error. And that "need a generic URN error parser" comment
really needs fixing, if you had something in mind with regards to it
please tell.
I'm currently thinking of something like this:
ret = acme_check_error(hc->res.buf, hc->res.status, "account", &trash,
errmsg);
if (ret == 1) {
if (!newaccount) {
/* not an error, we only need to create a new account */
if (strncmp("urn:ietf:params:acme:error:accountDoesNotExist",
trash.area, trash.data) == 0)
goto out;
}
goto error;
}
That acme_check_error will write pretty error to the errmsg, but it
could still
be ignored afterwards if needed. Although I think haproxy should do hard
fail
on most of the URNs, that what other ACME impls do, and only on some
like nonce
errors should it retry, for that all res functions need to return enum
acme_ret.
