/finalize API return this resposne:
{u'detail': u'Order\'s status ("pending") is not acceptable for finalization',
u'status': 403,
u'type': u'urn:ietf:params:acme:error:orderNotReady'}
Which step should I done before invoke the /finalize API ?
/finalize API return this resposne:
{u'detail': u'Order\'s status ("pending") is not acceptable for finalization',
u'status': 403,
u'type': u'urn:ietf:params:acme:error:orderNotReady'}
Which step should I done before invoke the /finalize API ?
You need to make sure that all of the authorizations have transitioned to valid. It looks like you may not have triggered one or more challenge verifications.
ALL ?
[{u'status': u'pending',
u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
u'type': u'http-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/Kd6hPQ'},
{u'status': u'pending',
u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
u'type': u'dns-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/hor1aw'},
{u'status': u'pending',
u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
u'type': u'tls-alpn-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/QIEj8w'}],
u'expires': u'2020-12-28T02:37:17Z',
I have configured the dns-01 value.
In certbot , just finalize one way .
Why should I finalize three auth here ?
Only one of them needs to be verified, but currently NONE of them have been triggered for verification.
How to trigger one of them ?
Send a POST request to the challenge url with an empty object as the payload (NOT an empty payload).
If I get this response
{u'challenges': [{u'error': {u'detail': u'Incorrect TXT record "FYkQRYsy6jZfag615MdouDbY_RQiwNEd5PBDc9GM32g" (and 3 more) found at xxxxx',
u'status': 403,
u'type': u'urn:ietf:params:acme:error:unauthorized'},
u'status': u'invalid',
u'token': ....',
u'type': u'dns-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/.../...'}],
u'expires': u'2020-12-28T02:37:17Z',
u'identifier': {u'type': u'dns', u'value': .....top'},
u'status': u'invalid'}
Can I trigger the challenge repeatedly?
Nope. Once a challenge fails, the authorization and the order fail.
For www.example.com
:
TXT host/name: _acme-challenge.www.example.com
For *.example.com
:
TXT host/name: _acme-challenge.example.com
For example.com
:
TXT host/name: _acme-challenge.example.com
(yep, the same as for the wildcard)
why i can dig the right value
dig _acme-challenge......... txt
; <<>> DiG 9.10.6 <<>> _acme-challenge........... txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63436
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.letsencrypt.top. IN TXT
;; ANSWER SECTION:
_acme-challenge........ 411 IN CNAME ........
........... 411 IN TXT ".........."
;; Query time: 23 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Mon Dec 21 13:26:32 CST 2020
;; MSG SIZE rcvd: 146
but still get pending status
{'Content-Length': '191', 'Strict-Transport-Security': 'max-age=604800', 'Cache-Control': 'public, max-age=0, no-cache', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/176139402>;rel="up"', 'Location': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176139402/b7XPFw', 'Boulder-Requester': '17092284', 'Date': 'Mon, 21 Dec 2020 05:26:46 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '0003VVwSKAWKGXuKlkpkVyJysX2cmbpXjygfpgPe1Me1L-k'}
{u'status': u'pending',
u'token': u'qNLKmybPAbejbLxzmKbB8vG0VSfuBsmZh4QjTcuQBqg',
u'type': u'dns-01',
u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/......../.....'}
pending means the challenge either hasn't been triggered for verification or it just hasn't been checked yet. You need to poll the authorization status repeatedly (with many seconds of delay between) in order to determine the result.
You didn't just use the token value directly given from Let's Encrypt, I hope. For dns-01, you need to use:
value = Base64Encode(SHA256("$token.$accountthumbprint"))
Oh, I am not aware of this.
I am trying to fix this.
accountthumbprint = Base64Encode(SHA256(JSON_Encode($JWK)))
Thank you.
It works.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.