I've got a client I've developed that works in production. It has worked in staging in the past. It now doesn't work in staging.
The issue is that the response to the CSR doesn't have a "certificate" key. All the other keys that are present in the production response are there.
This appears to be because the status of the CSR response is "processing". However, the status of the challenge (authorization) is valid.
It appears as if the staging server has hung somewhere in its logic.
You probably need to poll the endpoint, the status can take a few seconds to change.
There was a change in the Boulder (production/staging) code a while back that introduced occasional delays in that transition. The original ACME2 deployment never had those delays, so most clients did not poll after finalize as the certificate was always ready. IIRC, the pebble test server now temporarily hangs by default to ensure clients account for this possibility.
It's totally stuck. It's been over an hour and it's still sitting in "processing" state.
This was the relevant API announcement from last year: Enabling Asynchronous Order Finalization
Someone else will have to address that.
I changed my code back when this was announced to do that. This is something different.
Hi @jmccl, and welcome!
I don't see any deviation from normal in our Staging environment's metrics -- we're continuing to successfully finalize many orders. Without any additional info, like your client's User-Agent string, or the URL of the order that is stuck, there's not much we can do to help debug further.
Thanks.
This is order url: https://acme-staging-v02.api.letsencrypt.org/acme/order/192704294/23598644084
Edit: Let me look at this: I'm getting a different result from my code and the browser. I may be caching something.
@jvanasco : You're right; I was waiting on the order, but not the finalize. Thanks for the help.
These changes get us all!
It's a good idea to test with a few CAs because the differences can be good for flushing out this type of thing. e.g. ZeroSSL can be quite slow at some operations and (last time I checked) didn't cache validations.
I think (I might be remembering the wrong CA) DigiCerts finalize can take up to 10 minutes.