Join GitHub today
TLSSNIRevalidation=false should not allow issuance with a valid pending_authzs #4118
It looks like users that successfully posted to
This is an interesting one. It turns out it was fixed recently in #4114, which will go out in the next release.
Here's the code that was supposed to prevent pending challenges from being validated if their challenge type was disabled since they were created:
In particular this:
Was gated by features.TLSSNIRevalidation being true. So disabling that flag meant we could no longer hit this check.
There was a unittest that was supposed to test this path:
However, that test was unexpectedly running with TLSSNIRevalidation=true, because a previous test had set the feature flag and forgot to call
So the test was always passing even though it shouldn't have. Since #4114 deleted the offending test case, there's no cleanup to do there. However I've filed #4120 to change how we call features.Reset in our unittests so we are less likely to miss cases like this in the future.