Can't Validate Certficiates

jimKohva · July 9, 2018, 10:17pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
libertymgt.net and www.libertymgmt.net

I ran this command:
I am using the PHP client at https://github.com/acmephp/acmephp

When I attempt to finalize an order and validate it I don’t seem to be able to. I believe I am getting the following error from the request certificate call. I am really wondering if our account has been locked up or is being rate limited just not sure how to check. The email on the account should be tech@kohva.com or jim@kohva.com

It produced this output:
Certificate request failed (response: The order has not been validated)

My web server is (include version):
We are using a distributed system but the primary web server is nginx and our system for providing the web validation is custom built as its coming form a database and serving to the website as needed.

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes but it is in a distributed database driven system.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

JuergenAuer · July 9, 2018, 11:01pm

Hi @jimKohva

are you sure that there isn't an error? Can you place a file on /.well-known/acme-challenge/123456789 - so, it can be tested by loading http://www.libertymgmt.net/.well-known/acme-challenge/123456789

What means:

Certificate request failed (response: The order has not been validated)

validation failed (file not found, wrong content)
Or was the finalize-url used before calling all challenge - urls?

PS: Do you use v2 and do you check the new ready-state?

jimKohva · July 9, 2018, 11:56pm

I got the www domain spelled wrong it should be the same as the first one so http://www.libertymgt.net/.well-known/acme-challenge/123456789 I put a sample “file” in there for testing. This is all done with dynamic routing.

I am using v2 as the endpoint I am calling for the validation is below:
https://acme-v02.api.letsencrypt.org/acme/challenge/DQAWtF_zlR-shyImZS6rxC7I4P5x3zHChLCkV7nio-0/5557837564

I am also receiving back a valid flag of true, a status flag of valid and pending as false.

It was working without issue until yesterday. We had a domain begin to fail so I am concerned that we may have hit a failure rate limit.

JuergenAuer · July 10, 2018, 7:43am

https://acme-v02.api.letsencrypt.org/acme/challenge/DQAWtF_zlR-shyImZS6rxC7I4P5x3zHChLCkV7nio-0/5557837564

looks fine. If the other challenge (libertymgt.net) is also valid and because you use v2, then it's a problem with the new ready-state:

Your client may not support this new state, which is now active on v2.

Can you switch back to v1? Or is there a client-update?

JuergenAuer · July 10, 2018, 10:11am

Now you have a valid Letsencrypt-certificate, created today:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.libertymgt.net&lu=cert_search

https://transparencyreport.google.com/https/certificates/5B%2BL8P6QloI8jNpOerAwnYrNG7WKfPZupg80AD4vY9w%3D

jimKohva · July 10, 2018, 2:18pm

Thanks Juergen

It was the ready state I just had to update my client and it started working. Thanks again.

system · August 9, 2018, 2:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.