Fix wildcard authorization reuse with DNS-Account-01

The RA rejected wildcard authorizations with DNS-Account-01 challenges
during reuse, though the PA offers DNS-Account-01 for wildcards.

In ra.go:2244-2248, the NewOrder() validation only accepted DNS-01 for
wildcards. This check predates DNS-Account-01 wildcard support (added
after commit 52615d9).

Changes:
- Accept both DNS-01 and DNS-Account-01 for wildcard reuse
- Split validation into two checks (count vs type)
- Add TestNewOrderAuthzReuseDNSAccount01 unit test

The bug only affected authorization reuse (not new authorizations),
which is why existing tests using random domains didn't expose it.

Author: sheurich

ra/ra.go

@@ -2239,13 +2239,20 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 		}
 
 		// If the identifier is a wildcard DNS name, it must have exactly one
-		// DNS-01 type challenge. The PA guarantees this at order creation time,
-		// but we verify again to be safe.
-		if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") &&
-			(len(authz.Challenges) != 1 || authz.Challenges[0].Type != core.ChallengeTypeDNS01) {
-			return nil, berrors.InternalServerError(
-				"SA.GetAuthorizations returned a DNS wildcard authz (%s) with invalid challenge(s)",
-				authz.ID)
+		// DNS-01 or DNS-Account-01 type challenge. The PA guarantees this at
+		// order creation time, but we verify again to be safe.
+		if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") {
+			if len(authz.Challenges) != 1 {
+				return nil, berrors.InternalServerError(
+					"SA.GetAuthorizations returned a DNS wildcard authz (%s) with %d challenges, expected 1",
+					authz.ID, len(authz.Challenges))
+			}
+			challengeType := authz.Challenges[0].Type
+			if challengeType != core.ChallengeTypeDNS01 && challengeType != core.ChallengeTypeDNSAccount01 {
+				return nil, berrors.InternalServerError(
+					"SA.GetAuthorizations returned a DNS wildcard authz (%s) with invalid challenge type %s",
+					authz.ID, challengeType)
+			}
 		}
 
 		// If we reached this point then the existing authz was acceptable for

ra/ra_test.go

@@ -2120,6 +2120,46 @@ func TestNewOrderAuthzReuseSafety(t *testing.T) {
 	test.AssertContains(t, err.Error(), "SA.GetAuthorizations returned a DNS wildcard authz (1) with invalid challenge(s)")
 }
 
+// TestNewOrderAuthzReuseDNSAccount01 checks that the RA correctly allows reuse
+// of a wildcard authorization with a DNS-Account-01 challenge.
+func TestNewOrderAuthzReuseDNSAccount01(t *testing.T) {
+	_, _, ra, _, _, registration, cleanUp := initAuthorities(t)
+	defer cleanUp()
+
+	ctx := context.Background()
+	idents := identifier.ACMEIdentifiers{identifier.NewDNS("*.zombo.com")}
+
+	// Use a mock SA that returns a valid DNS-Account-01 authz for wildcard
+	expires := time.Now().Add(24 * time.Hour)
+	ra.SA = &mockSAWithAuthzs{
+		authzs: []*core.Authorization{
+			{
+				ID:             "1",
+				Identifier:     identifier.NewDNS("*.zombo.com"),
+				RegistrationID: registration.Id,
+				Status:         "valid",
+				Expires:        &expires,
+				Challenges: []core.Challenge{
+					{
+						Type:   core.ChallengeTypeDNSAccount01,
+						Status: core.StatusValid,
+						Token:  core.NewToken(),
+					},
+				},
+			},
+		},
+	}
+
+	orderReq := &rapb.NewOrderRequest{
+		RegistrationID: registration.Id,
+		Identifiers:    idents.ToProtoSlice(),
+	}
+
+	// Create an order - it should succeed with DNS-Account-01 wildcard reuse
+	_, err := ra.NewOrder(ctx, orderReq)
+	test.AssertNotError(t, err, "NewOrder failed to reuse wildcard authz with DNS-Account-01")
+}
+
 func TestNewOrderWildcard(t *testing.T) {
 	_, _, ra, _, _, registration, cleanUp := initAuthorities(t)
 	defer cleanUp()