pebble
pebble copied to clipboard
letsencrypt
wrong implementation of ACME spec: Orders should transition to "invalid", not "deactivated"
I spent the day investigating failing tests, because of a single line in Pebble :(
https://github.com/letsencrypt/pebble/blob/master/core/types.go#L66-L69
// An order is deactivated if **any** of its authzs are deactivated
if authzStatuses[acme.StatusDeactivated] > 0 {
return acme.StatusDeactivated, nil
}
This is not a correct implementation of the ACME spec. The Order object does not have a "deactivated" state. The spec states it should transition to "invalid".
status (required, string): The status of this order. Possible values are "pending", "ready", "processing", "valid", and "invalid". See Section 7.1.6.
7.1.6. Status Changes Page 32: text following "State Transitions for Authorization Objects"
The order also moves to the "invalid" state if it expires or one of its authorizations enters a final state other than "valid" ("expired", "revoked", or "deactivated")
Page 33: chart "State Transitions for Order Objects"
pending --------------+
| |
| All authz |
| "valid" |
V |
ready ---------------+
| |
| Receive |
| finalize |
| request |
V |
processing ------------+
| |
| Certificate | Error or
| issued | Authorization failure
V V
valid invalid
Good catch. Thanks for reporting it, and my apologies that you spent so much time trying to track it down. I've uploaded a fix at #301. Want to try that out and let me know if it fixes the issue for you?
Thanks, @jsha looks much better than the patch i put together. i'll run it through my test suite tomorrow or the day after.
I'm actually glad this happened - my code should have been written to catch potentially malformed/incorrect responses.