ACME v2 order stuck in "processing" state

Hi,

I am working on updating our internal ACME client to support the new ACME v2 protocol. However, I am running into an issue with orders being stuck in the “processing” state.

Here is an example order, with two (failed, invalid) authorizations:

https://acme-staging-v02.api.letsencrypt.org/acme/order/5443856/3128

Both authorizations are correctly flagged as invalid, however the order is forever in the processing status.

This is the response when I first attempted to finalize the order:

{'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Error finalizing order :: authorizations for these names not found or expired: eirikrye.no, www1.eirikrye.no', 'status': 403}

This is fair. However, I would expect this to change the status of my order from pending to invalid.

For subsequent requests to finalize the order, I receive this response:

{'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Order\'s status ("processing") was not pending', 'status': 400}

According the to the ACME specification, a status of processing means

The server agrees that the requirements have been
fulfilled, and is in the process of generating the certificate.
Retry after the time given in the “Retry-After” header field of
the response, if any.

This is obviously incorrect in the case for this order as the authorizations have both failed, and the requirements have not been fulfilled. The expected status for this order would be invalid.

The problem this causes is that it is impossible for the same account to create a new order for the same identifiers, as a newOrder request will only return the same (processing) order.

Hi, this is a known bug with the staging v2 API.

If your validation fails it keeps giving you the same set of (invalid) authorizations for the same order content. You can work round this in testing by varying your domains (test1.test.com, test2.test.com, *.test1.test.com etc)

1 Like

In addition to the bug @webprofusion linked (thanks!) there is also this bug https://github.com/letsencrypt/boulder/issues/3403 which will hopefully be fixed shortly. As you mention, failing the finalization should switch the order to an invalid status.

Thanks for your patience,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.