ACME Email S/MIME - All authorizations were not finalized by the CA

jfiger · October 5, 2025, 8:37pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jfiger.com

I ran this command:
python3 cli.py cert --config-dir . --work-dir . --logs-dir . -e jfiger@figer.com --contact jfiger@gmail.co

It produced this output:
All authorizations were not finalized by the CA.
My web server is (include version):

The operating system my web server runs on is (include version):
Linux or Windows 11 produce the same output
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

MikeMcQ · October 5, 2025, 8:45pm

That is not a public domain name. Let's Encrypt only issues certificates for public names.

What Certificate Authority are you using?

And, what ACME Client does cli.py run? If it is one where did you get it?

jfiger · October 5, 2025, 10:41pm

Sorry, my domain is figer.com
Iuse the acme_email client for the https://acme.castle.cloud/
I downloaded here GitHub - polhenarejos/acme_email: ACME Email Client for EmailReply-00 Challenge
and run in python either on Windows 11 or Ubuntu 24.04 LTS with the root certificate of https://acme.castle.cloud/

webprofusion · October 6, 2025, 12:56am

It's a bug in the client, it will be trying to finalize the order before all the identifiers have been validated, however this seems to involve a custom S/MIME centric ACME server as well, so it doesn't seem like it's anything to do with Let's Encrypt? Or maybe it is, I can't tell.

github.com/polhenarejos/acme_email

persists "status: pending" - All authorizations were not finalized by the CA

opened 05:12AM - 26 Mar 25 UTC

lucafolin

POST requests to https://acme.castle.cloud:443/acme/authz/xxx always return with… "status: pending," and eventually, cli.py fails with the "All authorizations were not finalized by the CA" error message. Is this a problem on the server side, or is something wrong with the client? The log file was something like this: 2025-03-26 05:05:49,899:DEBUG:urllib3.connectionpool:https://acme.castle.cloud:443 "POST /acme/authz/*** HTTP/1.1" 200 None 2025-03-26 05:05:49,899:DEBUG:acme.client:Received response: HTTP 200 Date: Wed, 26 Mar 2025 05:05:49 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive location: https://acme.castle.cloud/acme/authz/*** replay-nonce: *** x-frame-options: DENY x-content-type-options: nosniff referrer-policy: same-origin vary: Origin access-control-allow-origin: * strict-transport-security: max-age=7776000 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=***"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92641d7e6b03eddc-MXP Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11962&min_rtt=10431&rtt_var=279&sent=145&recv=110&lost=0&retrans=0&sent_bytes=51846&recv_bytes=36206&delivery_rate=408311&cwnd=257&unsent_bytes=0&cid=67c0ca20ee4cadcd&ts=176639&x=0" {"status": "pending", "expires": "2025-03-27T05:02:56.524Z", "identifier": {"type": "dns", "value": "aaa@aaa.com"}, "challenges": [{"url": "https://acme.castle.cloud/acme/chall/IT3tSWVBWNf", "type": "email-reply-00", "token": "***", "status": "processing", "from": "acme@castle.cloud"}]} 2025-03-26 05:05:49,900:DEBUG:acme.client:Storing nonce: **** 2025-03-26 05:05:49,901:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 216, in _poll_authorizations raise errors.AuthorizationError('All authorizations were not finalized by the CA.') certbot.errors.AuthorizationError: All authorizations were not finalized by the CA. 2025-03-26 05:05:49,902:DEBUG:certbot._internal.error_handler:Calling registered functions 2025-03-26 05:05:49,902:INFO:certbot._internal.auth_handler:Cleaning up challenges 2025-03-26 05:05:49,902:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/home/luke/acme_email/cli.py", line 264, in <module> main(args) File "/home/luke/acme_email/cli.py", line 202, in main request_cert(args, config) File "/home/luke/acme_email/cli.py", line 124, in request_cert cert_path, chain_path, fullchain_path = certbot_main._csr_get_and_save_cert(config, le_client) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/main.py", line 1493, in _csr_get_and_save_cert cert, chain = le_client.obtain_certificate_from_csr(csr) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/client.py", line 329, in obtain_certificate_from_csr orderr = self._get_order_and_authorizations(csr.data, best_effort=False) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/client.py", line 492, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/home/luke/acme_email/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 216, in _poll_authorizations raise errors.AuthorizationError('All authorizations were not finalized by the CA.') certbot.errors.AuthorizationError: All authorizations were not finalized by the CA. 2025-03-26 05:05:49,905:ERROR:certbot._internal.log:All authorizations were not finalized by the CA.

webprofusion · October 6, 2025, 1:13am

Digging into this out of interest, this is a special ACME server that does email validation, so presumably RFC 8823 - Extensions to Automatic Certificate Management Environment for End-User S/MIME Certificates

You should raise the issue with the Castle ACME server people as it's their client as well.

MikeMcQ · October 6, 2025, 2:02am

Not related to Let's Encrypt that I can tell either

But, their ACME Client uses Certbot. And, as we know well, for any error Certbot suggests people come to this forum even for problems using other Certificate Authorities (CA).

@jfiger Certbot is a popular ACME Client to get Let's Encrypt certificates (an ACME Server). But, Certbot is maintained by the EFF. We do not focus on helping people when using it with other CA. Sometimes a volunteer will offer a suggestion anyway but problems are better directed to Certbot's github or the Certificate Authority. Just adding this added background for clarity.

From the ACME Email S/MIME github:

Certbot is a powerful software for managing the ACME procedure, but it only supports "dns" Identifier Types in the CSR, which is incompatible with S/MIME certificates requiring "email" Identifier Types. To address this, the client provides a workaround using the --csr parameter to accept external CSRs. The client comprises ...

orangepizza · October 6, 2025, 2:25am

when I touched that that server did something weird (iirc using dns identifier but filled with email address) so I don't think id support anything other then their own client

system · November 5, 2025, 2:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No Email x.509 Certs? Help	48	4983	December 20, 2017
Issue with ssl.com's ACME implementation Client dev	16	2517	September 22, 2021
AssertionError: Authorizations list is empty Server	3	2189	February 1, 2016
Client receives "Error creating new cert" message from server Help	10	6296	December 5, 2015
Issue while using other domain name than "www.certes-ci.dymetis.com" Help	9	956	September 28, 2019

ACME Email S/MIME - All authorizations were not finalized by the CA

Related topics