BUG/MEDIUM: acme: fix stalled renewal when opportunistic DNS check fails

In ACME_INITIAL_RSLV_READY, when the opportunistic DNS propagation check
fails and the code falls back to ACME_CLI_WAIT, ACME_RDY_INITIAL_DNS was
left set in cond_ready. Since the CLI-wait path only ever sets ACME_RDY_CLI
on auth->ready, the readiness check in ACME_CLI_WAIT could never be
satisfied, permanently stalling certificate renewal.

Fix this by stripping ACME_RDY_INITIAL_DNS from cond_ready before falling
back to the regular CLI-wait flow. Also replace the &= with a plain
assignment in the success path to make the intent explicit.

No backport needed, 3.4 only.

diff --git a/src/acme.c b/src/acme.c
index 5d5bfa7d3fc9ebbc597eb3226a0ad6029604a4a7..9f60e90737007a4e385b255a808e64603c2b34c0 100644 (file)
--- a/src/acme.c
+++ b/src/acme.c
@@ -2604,12 +2604,13 @@ re:
                                /* opportunistic validation, don't do the
                                 * cond_ready steps */
                                st = ACME_CHALLENGE;
-                               ctx->cfg->cond_ready &= ACME_RDY_INITIAL_DNS;
+                               ctx->cfg->cond_ready = ACME_RDY_INITIAL_DNS;
                                ctx->next_auth = ctx->auths;
                                goto nextreq;
                        }
 
-                       /* opportunistic DNS check failed, try the ready_cond */
+                       /* opportunistic DNS check failed, try the ready_cond, remove initial dns as a condition */
+                       ctx->cfg->cond_ready &= ~ACME_RDY_INITIAL_DNS;
                        st = ACME_CLI_WAIT;
                        goto nextreq;
                }