skip valid authorizations

[chref]

Authorizations that already have a status of "valid" do not need to be validated again (until the authorization expires). Skipping these authorizations makes it possible to obtain certificates for domains for which a dns-01 validation is still valid, as acme_tiny is unable to re-validate them. (The alternative would be to wait up to a month until the authorization expires, or use a different acme client.)

[chref]

I stumbled on this when I got the same error as mentioned in #247. I had previously requested a certificate for "example.com" and "*.example.com" using a different client. Now I wanted to request a new certificate for "example.com" and "www.example.com" with acme_tiny. Since the "example.com" authorization was still valid (and had previously been performed with dns-01 challenge), acme_tiny was unable to re-validate it.

This small change simply skips any authorizations that are still currently valid.

[felixfontein]

Something like this is needed. I'm currently working on a CI that tests something that uses acme-tiny (it uses Pebble as a CA server), and I created two certs, one for example.org, the second for example.org and example.com, and creating the second cert errors out because the challenge for example.org was already valid.

Parsing account key...
Parsing CSR...
Found domains: example.com, example.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying example.org...
example.org verified!
Verifying example.com...
Traceback (most recent call last):
  File "/root/ansible_collections/community/crypto/tests/output/.tmp/output_dir/acme-tiny", line 210, in <module>
    main(sys.argv[1:])
  File "/root/ansible_collections/community/crypto/tests/output/.tmp/output_dir/acme-tiny", line 206, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/root/ansible_collections/community/crypto/tests/output/.tmp/output_dir/acme-tiny", line 158, in get_crt
    _send_signed_request(challenge['url'], {}, "Error submitting challenges: {0}".format(domain))
  File "/root/ansible_collections/community/crypto/tests/output/.tmp/output_dir/acme-tiny", line 73, in _send_signed_request
    return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth)
  File "/root/ansible_collections/community/crypto/tests/output/.tmp/output_dir/acme-tiny", line 59, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error submitting challenges: example.com:
Url: https://acme-simulator:14000/chalZ/2jCPCyXAyGa1_K09b_mvai-VK5wPSiYqAg5SGSQgLz0
Data: b'{"protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXNpbXVsYXRvcjoxNDAwMC9jaGFsWi8yakNQQ3lYQXlHYTFfSzA5Yl9tdmFpLVZLNXdQU2lZcUFnNVNHU1FnTHowIiwgImFsZyI6ICJSUzI1NiIsICJub25jZSI6ICJSVTBpem9mRWlDRFE4TzJkcG82TXFnIiwgImtpZCI6ICJodHRwczovL2FjbWUtc2ltdWxhdG9yOjE0MDAwL215LWFjY291bnQvMSJ9", "payload": "e30", "signature": "DGFQivQc742deu2aAxoQvsVjKDMyHCuZokVew9A8bjJRcRfqwwbOhGRp6idbYcYjGCYe2AVq-i0sdLVjW_SrhuFtrU9jWboSwDUoDKE211vXztitFtPVKkZksHjGeVATxxsqrZYiPj1z-05EUtR4vTp6uL-CiJlZ_sdavoLWxVe7yYUvhDZ5Ah-dMrh4FqrqPrcA-qCXQcAfZem6YaOrkJP6aUFtkHPesybVXIcCTwYKnuJgtT30xs4t6lmhXlxoBLzFRBEIIEHSM-r6osU5jZ7JK-W0n_dOk9ip7iN3jesS4cbqsoMjuTnwtgeYHvBXduhaYL1ovB3Gm9C49fUQpg"}'
Response Code: 400
Response: {'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Cannot update challenge with status valid, only status pending', 'status': 400}

This is without this patch. (I had to do some monkey-patching to disable cert validation etc., so the line numbers are off.)

When applying this patch, it works fine.

[jvperrin]

Had the exact same problem (domain previously validated with a DNS challenge as part of a separate cert acquired, and then couldn't validate it with acme-tiny using a HTTP challenge). It worked great after applying this change! ❤️