A question about /finalize API

test_mail_new · December 21, 2020, 3:43am

/finalize API return this resposne:

{u'detail': u'Order\'s status ("pending") is not acceptable for finalization',
 u'status': 403,
 u'type': u'urn:ietf:params:acme:error:orderNotReady'}

Which step should I done before invoke the /finalize API ?

griffin · December 21, 2020, 3:50am

You need to make sure that all of the authorizations have transitioned to valid. It looks like you may not have triggered one or more challenge verifications.

test_mail_new · December 21, 2020, 3:53am

ALL ?


[{u'status': u'pending',
                      u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
                      u'type': u'http-01',
                      u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/Kd6hPQ'},
                     {u'status': u'pending',
                      u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
                      u'type': u'dns-01',
                      u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/hor1aw'},
                     {u'status': u'pending',
                      u'token': u'VoqREbzaNeAV1jk9UI02iTHRkF8oIcCEKF06M0E1_po',
                      u'type': u'tls-alpn-01',
                      u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176076536/QIEj8w'}],
     u'expires': u'2020-12-28T02:37:17Z',

I have configured the dns-01 value.

In certbot , just finalize one way .

Why should I finalize three auth here ?

griffin · December 21, 2020, 3:54am

Only one of them needs to be verified, but currently NONE of them have been triggered for verification.

test_mail_new · December 21, 2020, 3:55am

How to trigger one of them ?

griffin · December 21, 2020, 3:56am

Send a POST request to the challenge url with an empty object as the payload (NOT an empty payload).

test_mail_new · December 21, 2020, 4:49am

If I get this response


{u'challenges': [{u'error': {u'detail': u'Incorrect TXT record "FYkQRYsy6jZfag615MdouDbY_RQiwNEd5PBDc9GM32g" (and 3 more) found at    xxxxx',
                             u'status': 403,
                             u'type': u'urn:ietf:params:acme:error:unauthorized'},
                  u'status': u'invalid',
                  u'token': ....',
                  u'type': u'dns-01',
                  u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/.../...'}],
 u'expires': u'2020-12-28T02:37:17Z',
 u'identifier': {u'type': u'dns', u'value': .....top'},
 u'status': u'invalid'}

Can I trigger the challenge repeatedly？

griffin · December 21, 2020, 5:24am

Nope. Once a challenge fails, the authorization and the order fail.

For www.example.com:

TXT host/name: _acme-challenge.www.example.com

For *.example.com:

TXT host/name: _acme-challenge.example.com

For example.com:

TXT host/name: _acme-challenge.example.com

(yep, the same as for the wildcard)

test_mail_new · December 21, 2020, 5:28am

why i can dig the right value

dig _acme-challenge......... txt

; <<>> DiG 9.10.6 <<>> _acme-challenge........... txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63436
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.letsencrypt.top. IN	TXT

;; ANSWER SECTION:
_acme-challenge........ 411 IN	CNAME	........
...........	411	IN	TXT	".........."

;; Query time: 23 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Mon Dec 21 13:26:32 CST 2020
;; MSG SIZE  rcvd: 146

but still get pending status

{'Content-Length': '191', 'Strict-Transport-Security': 'max-age=604800', 'Cache-Control': 'public, max-age=0, no-cache', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/176139402>;rel="up"', 'Location': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/176139402/b7XPFw', 'Boulder-Requester': '17092284', 'Date': 'Mon, 21 Dec 2020 05:26:46 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '0003VVwSKAWKGXuKlkpkVyJysX2cmbpXjygfpgPe1Me1L-k'}
{u'status': u'pending',
 u'token': u'qNLKmybPAbejbLxzmKbB8vG0VSfuBsmZh4QjTcuQBqg',
 u'type': u'dns-01',
 u'url': u'https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/......../.....'}

griffin · December 21, 2020, 5:33am

pending means the challenge either hasn't been triggered for verification or it just hasn't been checked yet. You need to poll the authorization status repeatedly (with many seconds of delay between) in order to determine the result.

You didn't just use the token value directly given from Let's Encrypt, I hope. For dns-01, you need to use:

value = Base64Encode(SHA256("$token.$accountthumbprint"))

test_mail_new · December 21, 2020, 5:57am

Oh, I am not aware of this.

I am trying to fix this.

griffin · December 21, 2020, 6:11am

accountthumbprint = Base64Encode(SHA256(JSON_Encode($JWK)))

test_mail_new · December 21, 2020, 6:48am

Thank you.

It works.

system · January 20, 2021, 6:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.