fix: Challenge not skipped for pre-validated wildcard domain orders

Some CAs auto-validate orders based on account-level rules and do not require a challenge at all. Sectigo introduced a non-standard challenges named 'sectigo-dns-01', presumably to work around this issue in certbot. This also works for non-wildcard domains in acme.sh, but wildcard domains are rejected because acme.sh hard-codes 'dns-01' as the only allowed challenge for wildcard domains, which is not offered by Sectigo. This change simply moves the '"status":"valid"' check up a bit and ignores challenge type mismatches or missing tokens if no challenge is needed anyway.
2025-04-30 22:02:45 +00:00 · 2022-06-22 17:54:49 +02:00 · 2022-06-22 17:54:49 +02:00 · 095697900b
commit 095697900b
parent f897ab4eb8
1 changed files with 17 additions and 25 deletions
--- a/acme.sh
+++ b/acme.sh
@ -4600,19 +4600,18 @@ $_authorizations_map"
        thumbprint="$(__calc_account_thumbprint)"
      fi

-      entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
-      _debug entry "$entry"
      keyauthorization=""
-      if [ -z "$entry" ]; then
-        if ! _startswith "$d" '*.'; then
-          _debug "Not a wildcard domain, lets check whether the validation is already valid."
+
      if echo "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
        _debug "$d is already valid."
        keyauthorization="$STATE_VERIFIED"
        _debug keyauthorization "$keyauthorization"
      fi
-        fi
-        if [ -z "$keyauthorization" ]; then
+
+      entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
+      _debug entry "$entry"
+
+      if [ -z "$keyauthorization" -a -z "$entry" ]; then
        _err "Error, can not get domain token entry $d for $vtype"
        _supported_vtypes="$(echo "$response" | _egrep_o "\"challenges\":\[[^]]*]" | tr '{' "\n" | grep type | cut -d '"' -f 4 | tr "\n" ' ')"
        if [ "$_supported_vtypes" ]; then
@ -4622,7 +4621,6 @@ $_authorizations_map"
        _on_issue_err "$_post_hook"
        return 1
      fi
-      fi

      if [ -z "$keyauthorization" ]; then
        token="$(echo "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
@ -4647,12 +4645,6 @@ $_authorizations_map"
        fi
        keyauthorization="$token.$thumbprint"
        _debug keyauthorization "$keyauthorization"
-
-        if printf "%s" "$response" | grep '"status":"valid"' >/dev/null 2>&1; then
-          _debug "$d is already verified."
-          keyauthorization="$STATE_VERIFIED"
-          _debug keyauthorization "$keyauthorization"
-        fi
      fi

      dvlist="$d$sep$keyauthorization$sep$uri$sep$vtype$sep$_currentRoot"