From 0a90ff6b3da92aab23949fca221702989dfe7fa9 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 10 Jun 2026 18:06:57 +0200 Subject: [PATCH] BUG/MEDIUM: acme: stuck ACME task when authz is already "valid" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When an ACME order is re-used or when a domain was recently validated, the CA may return status "valid" for an authorization without requiring any challenge to be solved. In acme_res_auth(), this is handled by setting auth->validated = 1 and jumping to out — but auth->ready is never initialized and stays 0. This became a bug in 3.4 when the "challenge-ready" option and the ACME_CLI_WAIT state were introduced (commit 2b0c510aff). ACME_CLI_WAIT computes: all_cond_ready &= auth->ready; across all authorizations. A single auth->ready == 0 drives the AND to zero and the task waits indefinitely for a readiness signal that will never arrive, since no challenge was published and no external agent will ever call challenge_ready() for that domain. Fix it by setting auth->ready = ctx->cfg->cond_ready for already-valid authorizations, marking them as satisfying all required readiness conditions so ACME_CLI_WAIT can proceed normally. This should be backported to 3.4. --- src/acme.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/acme.c b/src/acme.c index 7875f11e8..ccb54155f 100644 --- a/src/acme.c +++ b/src/acme.c @@ -2028,6 +2028,7 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut /* if auth is already valid we need to skip solving challenges */ if (strncasecmp("valid", trash.area, trash.data) == 0) { auth->validated = 1; + auth->ready = ctx->cfg->cond_ready; /* no challenge needed, satisfy all readiness conditions */ goto out; }