I spent the day investigating failing tests, because of a single line in Pebble :(
https://github.com/letsencrypt/pebble/blob/master/core/types.go#L66-L69
// An order is deactivated if **any** of its authzs are deactivated
if authzStatuses[acme.StatusDeactivated] > 0 {
return acme.StatusDeactivated, nil
}
This is not a correct implementation of the ACME spec. The Order object does not have a "deactivated" state. The spec states it should transition to "invalid".
7.1.3 Order Objects
status (required, string): The status of this order. Possible
values are "pending", "ready", "processing", "valid", and
"invalid". See Section 7.1.6.
7.1.6. Status Changes
Page 32: text following "State Transitions for Authorization Objects"
The order also moves to the "invalid"
state if it expires or one of its authorizations enters a final state
other than "valid" ("expired", "revoked", or "deactivated")
Page 33: chart "State Transitions for Order Objects"
pending --------------+
| |
| All authz |
| "valid" |
V |
ready ---------------+
| |
| Receive |
| finalize |
| request |
V |
processing ------------+
| |
| Certificate | Error or
| issued | Authorization failure
V V
valid invalid
I spent the day investigating failing tests, because of a single line in Pebble :(
https://github.com/letsencrypt/pebble/blob/master/core/types.go#L66-L69
This is not a correct implementation of the ACME spec. The Order object does not have a "deactivated" state. The spec states it should transition to "invalid".
7.1.3 Order Objects
7.1.6. Status Changes
Page 32: text following "State Transitions for Authorization Objects"
Page 33: chart "State Transitions for Order Objects"