acme/autocert: always pass AuthzURLs from AuthorizeOrder to deactivatePendingAuthz

Previously, the o.AuthzURLs slice was sometimes used from the call to
client.WaitOrder at the bottom of the for loop.

By that point, o may be nil if client.WaitOrder returned an error,
which would cause a nil pointer dereference panic inside the deferred
function call. If client.WaitOrder did not return an error, then the
call to deactivatePendingAuthz would use its AuthzURLs slice instead
of the one from client.AuthorizeOrder.

Fixes golang/go#35225
Updates golang/go#21081

Change-Id: I7db055ee1149871b6e5d34a8618526899c68f827
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/203919
Reviewed-by: Alex Vaghin <ddos@google.com>

acme/autocert/autocert.go

@@ -770,9 +770,9 @@ AuthorizeOrderLoop:
 		}
 		// Remove all hanging authorizations to reduce rate limit quotas
 		// after we're done.
-		defer func() {
-			go m.deactivatePendingAuthz(o.AuthzURLs)
-		}()
+		defer func(urls []string) {
+			go m.deactivatePendingAuthz(urls)
+		}(o.AuthzURLs)
 
 		// Check if there's actually anything we need to do.
 		switch o.Status {