Can someone please confirm a few behaviors of the spec regarding failed challenges for me?

From my understanding of the ACME spec and the boulder/pebble implementations…

  • Once a Challenge fails, it’s status is marked “invalid” and it may not be triggered again.
  • Assuming a client is only supporting http-01 authorization, once that challenge status transitions to “invalid”, the order is essentially “invalid”. To retry the authorization/challenge for the domain, a client must request a new order.
  • The Acme Server may recycle the Authorization Objects and/or Challenge Objects, but they will be part of a new order.

Is that correct?

1 Like

Hi @jvanasco

that's correct. But it's not relevant if the client supports one or more validation types.

One challenge failed -> the order is failed. It's not possible:

  • create a new order
  • trying http-validation + failing
  • trying dns validation (of the same order) + works
  • order is ready -> finalize
2 Likes

Thank you, Juergen.

We are only supporting http-01 challenge at this time, and not requesting other challenges. I wanted to make sure that a “new order” was the correct way to retry a failed order.

1 Like

There is no other way to do that.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.