Authorization already pending

Hello,
I'm not sure if this is the proper place to post, but here it goes.

Since a few days or weeks, i cant say exactly, creating an request to issue the actual cert, the error:
"Unable to update challenge :: authorization must be pending"
request is displayed. I'm using GitHub - skoerfgen/ACMECert: PHP client library for Let's Encrypt and other ACME v2 - RFC 8555 compatible Certificate Authorities, but Yaac has the same issue.

This error doesn't disappear after a time.

Is this an recent change in acme?

Thanks for any help!

1 Like

same error, what's the error actual auth link says?

3 Likes

Are you using the newest version of ACMECert? (If not update and try again please)

To narrow it down it would be very helful if you could get the status of the authorization (authz) in question.

To do this you can remove the protected keyword from line 164 in src/ACMEv2.php to make the request method public. Then you can run it on your authorization url, like this:

$ac=new ACMECert(....);
$ac->loadAccountKey(....);
print_r($ac->request('https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxx'));

What response do you get?

2 Likes

Update: It seems the authorization in question is not in pending and not in valid state (which it should be), when receiving the error Unable to update challenge :: authorization must be pending:

On the other hand, when a new Order is created, only pending and valid authorizations are reused/created:

So, one obvious explanation could be that there are multiple ACMECert instances running simultaneously using the same account-key and at least one common domain name. In this case they would share the same authorization(s), which then leads to this error (on the second slower instance). (It could even be on different servers running a cronjob at the same time for the same domain-names)

So I think I have found the cause. This happens when I try to verify DNS alltho the record doesn't exist. Yaac verifies the records using Cloudflares DNS over https api, and apparently LE servers have gotten quite alot slower (or have some changed dns caching settings / cloudflare got faster). My programm didnt check for this.

The error for ACMECert seems to be not related.

Thanks for all the help.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.