ipn/localapi: treat ACME "invalid" state as terminal, log more

Fixes #3975

Change-Id: Idb2cc8d4730e140939898c7dcc15c2014acca142
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

ipn/localapi/cert.go

@@ -239,6 +239,7 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 					}
 				}
 				if !ok {
+					logf("starting SetDNS call...")
 					err = h.b.SetDNS(ctx, key, rec)
 					if err != nil {
 						return nil, fmt.Errorf("SetDNS %q => %q: %w", key, rec, err)
@@ -256,26 +257,18 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 		}
 	}
 
-	wait0 := time.Now()
 	orderURI := order.URI
-	for {
-		order, err = ac.WaitOrder(ctx, orderURI)
-		if err == nil {
-			break
+	order, err = ac.WaitOrder(ctx, orderURI)
+	if err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
 		}
-		if oe, ok := err.(*acme.OrderError); ok && oe.Status == acme.StatusInvalid {
-			if time.Since(wait0) > 2*time.Minute {
-				return nil, errors.New("timeout waiting for order to not be invalid")
-			}
-			log.Printf("order invalid; waiting...")
-			select {
-			case <-time.After(5 * time.Second):
-				continue
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			}
+		if oe, ok := err.(*acme.OrderError); ok {
+			logf("acme: WaitOrder: OrderError status %q", oe.Status)
+		} else {
+			logf("acme: WaitOrder error: %v", err)
 		}
-		return nil, fmt.Errorf("WaitOrder: %v", err)
+		return nil, err
 	}
 	traceACME(order)
 
@@ -296,10 +289,12 @@ func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME fu
 		return nil, err
 	}
 
+	logf("requesting cert...")
 	der, _, err := ac.CreateOrderCert(ctx, order.FinalizeURL, csr, true)
 	if err != nil {
 		return nil, fmt.Errorf("CreateOrder: %v", err)
 	}
+	logf("got cert")
 
 	var certPEM bytes.Buffer
 	for _, b := range der {