]> git.kaiwu.me - haproxy.git/commit
projects / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 27d7c69) | patch
BUG/MEDIUM: acme: skip doing challenge if it is already valid
authorMia Kanashi <chad@redpilled.dev>
Sun, 22 Feb 2026 23:04:46 +0000 (01:04 +0200)
committerWilliam Lallemand <wlallemand@haproxy.com>
Fri, 27 Mar 2026 13:41:11 +0000 (14:41 +0100)
commit418f0c0bbe1a6663f116fce93d4b3f00d5380a78
tree246539cfdf37128ebef62bfc4120fdb7c70b7dc3tree | snapshot
parent27d7c69e87d52b86d9b5824f04821a54d8ffec1bcommit | diff
BUG/MEDIUM: acme: skip doing challenge if it is already valid

If server returns an auth with status valid it seems that client
needs to always skip it, CA can recycle authorizations, without
this change haproxy fails to obtain certificates in that case.
It is also something that is explicitly allowed and stated
in the dns-persist-01 draft RFC.

Note that it would be better to change how haproxy does status polling,
and implements the state machine, but that will take some thought
and time, this patch is a quick fix of the problem.

See:
https://github.com/letsencrypt/boulder/issues/2125
https://github.com/letsencrypt/pebble/issues/133

This must be backported to 3.2 and later.
include/haproxy/acme-t.h diff | blob | history
src/acme.c diff | blob | history
haproxy upstream