Correctly handing invalid order

natiueno · February 7, 2023, 7:29pm

I would like to confirm invalid order error is always unrecoverable error, so we shouldn't automatically retry on this without manual verification.

jvanasco · February 7, 2023, 7:48pm

A failed Challenge will cause an Authorization to become invalid.
A single failed Authorization will cause the entire Order to become invalid.

A client should test the Challenge itself before triggering the ACME server.

A client must submit a new Order to replace the failed Order for a new Authorization attempt. The ACME server may recycle the old Order if it is identical to the failed Order, and may utilize previously completed Authorizations associated with the Account.

natiueno · February 7, 2023, 8:46pm

Thank you so much for quick clarification. Our clients validate all authorization succeed, and then check order. Is that possible to get InvalidOrder even if all authorization succeed? We have history to observe this but this is two years ago and we haven't saved details.

jvanasco · February 7, 2023, 9:07pm

Yes, it's not likely but it can happen. "Invalid" is the state for an order with any error or authorization failure. Failed authorizations are the most common reason. See the RFC transition section:

https://www.rfc-editor.org/rfc/rfc8555#section-7.1.6

Order objects are created in the "pending" state. Once all of the
authorizations listed in the order object are in the "valid" state,
the order transitions to the "ready" state. The order moves to the
"processing" state after the client submits a request to the order's
"finalize" URL and the CA begins the issuance process for the
certificate. Once the certificate is issued, the order enters the
"valid" state. If an error occurs at any of these stages, the order
moves to the "invalid" state. The order also moves to the "invalid"
state if it expires or one of its authorizations enters a final state
other than "valid" ("expired", "revoked", or "deactivated").

    pending --------------+
       |                  |
       | All authz        |
       | "valid"          |
       V                  |
     ready ---------------+
       |                  |
       | Receive          |
       | finalize         |
       | request          |
       V                  |
   processing ------------+
       |                  |
       | Certificate      | Error or
       | issued           | Authorization failure
       V                  V
     valid             invalid

                    State Transitions for Order Objects

natiueno · February 7, 2023, 9:22pm

Thank you so much for your clarification.

system · March 9, 2023, 9:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.