Then I triggered the challenge, invoke the /finalize API immediately and got the error response:
{u\'status\': 403, u\'type\': u\'urn:ietf:params:acme:error:orderNotReady\', u\'detail\': u\'Order\\\'s status ("pending") is not acceptable for finalization\'}
So Question is:
How long time does order spent for transforming status pending to ready?
It seem that order status would not change immediately after challenge.
What average time value between pending to ready ?
But that doesn't ensure anything from the Let's Encrypt side. There is no fixed time after which the order magically changes status. This can vary, perhaps due to high loads.
You can of course poll /finalize randomly, but that's just guess work. First check the order status, then go to /finalize.
While I fully agree with the functionality of the flow that @JuergenAuer has presented (and have used it myself in the past two versions of my own ACME client), there is a significant benefit to be had by triggering and polling one authorization at a time: your user can address any issues with their FQDNs one at a time. This comes at the cost of completion time via serialization of the process. If you trigger all of the authorization checks at once then poll, your client will probably only report any error it encounters for the first invalid authorization it finds. Fixing the cause of that error then submitting a new order sets up a pattern of repeatedly failing authorizations for other FQDNs that also have errors. If there are enough FQDNs in the list with problems, your user will eventually face the limit of 5 invalid authorizations / FQDN / account / hour. The point is: telling Let's Encrypt to check an authorization associated with an FQDN with a known problem that has not been reported to the user yet (and thus likely hasn't been fixed) creates a pattern of waste with consequences.
If any authorization is failed even once in any order, the entire order fails. You're limited to 5 failed authorizations per FQDN per ACME account per hour.
Please don't tag persons (myself at least) after only three hours. In my opinion that's impatient and rude.
Also I would again urge you to open just a single thread pertaining all your ACME client building efforts. Currently, almost the whole top section of the Client dev section are threads related to a single issue by you: