Certificate order become valid without posting a CSR?

Hi,
Is it possible that a certificate order will become valid without posting a CSR?
We can see several orders (I think it’s only for retry orders that we got 500 internal server error from Lets Encrypt before so we retry ordering) that become valid before even posting the CSR for the order. We suspect that this situation causes a mismatch between the private key and the certificate.

I will describe the situation:

  1. We order a certificate for domain domain.com with private key A
  2. The order failed at some point with 500 error from Lets Encrypt
  3. We retry ordering the Certificate for domain.com with private key B
  4. The order finished successfully but private key B mismatch the certificate. private key A was dropped so I cannot tell for sure that it matches… but probably it will

Any idea of how to handle correctly such a scenario? how can we prevent such cases? how can we make sure every new order will request a CSR and not become valid without it?

Thanks

It shouldn’t be possible for that to happen.

The only way an order can transition from ready to valid is when it is finalized - when the CSR is posted.

If you have an examples of orders finalizing with the wrong CSR, could you post the order URLs and any timestamps that you have?

Do you mean you try finalizing again? Or you are making an entirely new order?

Which operation is failing with the 500? Finalization or something earlier?

2 Likes

Thanks for the response.
Hers is a log line we print just before invoke the finalize API with the CSR:
It may be the retry of a previously failure finalization operation but i dont have the logs (its printed in debug mode only so i don’t have them now)

Jun 17 10:31:19 orders-manager-749d99d65b-9pp64 orders-manager Cannot finalize order which is not in "ready" status. Get order body:'{"status":"processing","expires":"2020-06-24T07:30:40Z","identifiers":[{"type":"dns","value":"*.1244c5ac-2225.us-south.knative.test.appdomain.cloud"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/5294364876"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/51050338/3803735018"

I suppose this timeline is possible:

  • Finalization submitted with CSR#1, returned a 500
  • Despite the 500, the finalization proceeded anyway (maybe an RPC timeout)
  • Finalization retried by client with CSR#2, but because the original finalization actually went through, it predictably fails.

That’s very speculative, but thanks for posting the URL. A staff member might be willing to look the order up during the coming week.

1 Like

Ok, thanks! I will follow up with that…

1 Like