ACMEv2 - Errors during finalization leave order stuck processing. #3403
Description
When a user POSTs an order's finalization URL the RA eventually invokes ra.SA.SetOrderProcessing to mark the order as status processing (or to set BeganProcessing once #3402 has landed). If an error occurs after this point when calling ra.issueCertificate to get the CA to create a certificate, or when calling ra.SA.FinalizeOrder to write the certificate serial & valid order status to the DB, then the order remains stuck in status processing. You can't POST finalize again because the RA only allows pending orders to be switched to processing.
This can also happen in the case where the order isn't fully authorized yet. We set the order to processing before issueCertificate where the authorization state is checked.
The most conservative answer is probably to set the order to an invalid status when this occurs and require the client to submit a new order that will reuse the valid authorizations that existed from the failed order. Allowing finalization of already processing orders breaks the semantics we established for RA->CA order processing. Switching the order back to pending also seems fraught with potentially significant consequences. This is Yet Another fun side-effect of order based issuance :-(
Relates to #3392 - the transient errors specific to the staging env cause 500s during finalization and can provoke this problem.