Cert issue , certificate stuck in pending state

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.carrefouruae.com

We getting a message"2020-07-03 16:29 GMT Let’s Encrypt: Order\u0027s status ("

1 Like

You need to ask Akamai to look into it.

Let’s Encrypt orders don’t get “stuck” in a pending state, this is something that is local to the Akamai ACME client and they would be able to check the status of your order internally.

2 Likes

The error message Akamai gets back from LE is
{“message”:“urn:ietf:params:acme:error:caa”,“detail”:“Error finalizing order :: While processing CAA for www.carrefourjordan.com: DNS problem: SERVFAIL looking up CAA for carrefourjordan.com - the domain\u0027s nameservers may be malfunctioning”}

Order URL: https://acme-v02.api.letsencrypt.org/acme/order/131/4110433235

What is the proper lookup we should do for CAA records so we can avoid this issue? I am assured that none of the domains in this order have CAA records.

Akamai retried this with a new order and this time it succeeded. Nothing changed about the CAA records, as far as I know.

New order URL: https://acme-v02.api.letsencrypt.org/acme/order/131/4114006495

Hi @tiday

checking your domain that’s curious. Unboundtest - no error, not non-www, not www. Same with a local unbound-instance.

But checking your domain via https://check-your-website.server-daten.de/?q=carrefourjordan.com there is a problem visible.

One name server is buggy:

Some X - Warnings:

X Fatal error: Nameserver doesn’t support TCP connection: keu.carrefour.com / 213.137.173.17: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: keu.carrefour.com / 2a00:2000:4701:d::1: Timeout
X Nameserver Timeout checking Echo Capitalization: keu.carrefour.com / 213.137.173.17
X Nameserver Timeout checking Echo Capitalization: keu.carrefour.com / 2a00:2000:4701:d::1
X Nameserver Timeout checking EDNS512: keu.carrefour.com / 213.137.173.17
X Nameserver Timeout checking EDNS512: keu.carrefour.com / 2a00:2000:4701:d::1

So checking the CAA record if that name server is used -> Servfail. If other name servers used -> no problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.