x/crypto/acme: CreateOrderCert should not return whilst order is (still) Ready #52597
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
We use
CreateOrderCert
function to finalize an ACME order once it's status isReady
as per the ACME specCreateOrderCert
calls the finalize endpoint of the ACME server and then callsWaitOrder
which polls the ACME server till the order is inValid
,Invalid
orReady
state (here).I think that
CreateOrderCert
should not return when order's state isReady
as it is possible that whenWaitOrder
first looks at the order, the ACME server has not set the order status toProcessing
yet so it is stillReady
.I think from client's perspective it would make sense if in that case we'd keep polling the ACME server as it is in this case an intermittent state just like
Processing
.(From looking at the spec it seems like a slow ACME server that sets the order status to
Processing
at some point after returning the finalize call would still be compliant. I haven't looked at LetsEncrypt implementation, but from looking at Boulder design it seems like they would set the order toProcessing
(and probably already toValid
) before returning from finalize call, so this should not be an issue. However I think we have seen an issue with this with another ACME implementation cert-manager#5062)The text was updated successfully, but these errors were encountered: