DNS Challenge is "pending" 2 days

Hello.

I use https://github.com/acmephp/core and i get more 50 certificates for one domain, www, subdomains… and all success.

Now i try get certificate to “srv162011.hoster-test.ru” with DNS challenge.

When i do “challengeAuthorization()” to “www.srv162011.hoster-test.ru” i get status valid. It’s ok.

Like this:
‌array (
‘type’ => ‘dns-01’,
‘status’ => ‘valid’,
‘url’ => ‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/1232411207/CHSlRw’,
‘token’ => ‘C61L3Knx5hO64HeFMPRkDP82AiUTmcO9PlRjWhoJOZA’,
‘validationRecord’ =>
array (
0 =>
array (
‘hostname’ => ‘www.srv162011.hoster-test.ru’,
),
),
)

But when i try it to “srv162011.hoster-test.ru” i get status “pending” every time.

Like this:
‌array (
‘type’ => ‘dns-01’,
‘status’ => ‘pending’,
‘url’ => ‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/1221077576/ICKcCg’,
‘token’ => ‘QVszR-NSnQhTHTTDc9dEP23w50kXDTOMR5wollzmukE’,
)

2 or 3 days…

What can i do?

1 Like

Hi @byte

you have to inform Letsencrypt that Letsencrypt should validate the challenge.

Read

https://tools.ietf.org/html/rfc8555

that’s your main source if you use such raw commands.

1 Like

To validate a DNS challenge, the server performs the following steps: 1. Compute the SHA-256 digest [FIPS180-4] of the stored key authorization 2. Query for TXT records for the validation domain name 3. Verify that the contents of one of the TXT records match the digest value If all of the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the validation fails. The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the “status” field of the challenge has the value “valid” or “invalid”.

But status not stay to “invalid” it is just “pending” again and again.

No error or somthing else.

What i do wrong?

I 100% know: i set valid DNS to domain. I do it to another 90+ domains in automatic mode.

And i valid “www.domain”, but can’t valid domain without “www”.

Read manual it is not answer. In manual i read - server return valid or invalid result.

I can’t get valid or invalid, i get just “pending”.

1 Like

That’s not enough. You have to send a command to the challenge url,

https://acme-v02.api.letsencrypt.org/acme/chall-v3/1221077576/ICKcCg

then Letsencrypt starts the validation.

So Letsencrypt waits that you send that command -> pending, pending, oh, again pending.

1 Like

em. sorry) we don’t understand together =)

i send this command for 2 links. one for “domain”, and one for “www.domain”

in first step i get respons where status is pending
and in second step i get response where status is valid

1 Like

I do the same for other domains and it is work, but not there…

1 Like

I do request for “domain” like this:

1

1 Like

And get answer from the letsencrypt server like this:

2

1 Like

When i do the same request for “www.domain” i get good answer:

3

1 Like

Why i can’t get “valid” or “invalid” status for “domain”? But can get it for “www.domain”.

It is strange…

1 Like

Hi @byte, I’m looking into this with our logs now and will post an update in the next little bit.

1 Like

Hi again @byte,

I went through the request logs from your client during the period of 13/11/19 14:38 UTC to ~14:45 UTC and I believe you have a bug in your ACME client code that is causing it to act out of protocol.

Here’s an annotated breakdown of the requests I saw and the relevant resource URLs. Since POST-as-GET is not yet mandatory we can all access them in our browsers to see first-hand what the final result of each resource is.

13/11/19 14:38:14 - client POSTs new-order, w/ 2 idents (srv162011.hoster-test.ru and www.srv162011.hoster-test.ru). This created the order: https://acme-v02.api.letsencrypt.org/acme/order/71547863/1503782190 We’ll call the authz for srv162011.hoster-test.ru “authzA” and the authz for www.srv162011.hoster-test.ru “authzB”.
13/11/19 14:38:14 - client GETs authzA (https://acme-v02.api.letsencrypt.org/acme/authz-v3/1221077576), it’s pending as expected since no challenge has been fulfilled.
13/11/19 14:38:14 - client GETs authzB (https://acme-v02.api.letsencrypt.org/acme/authz-v3/1221077577), ditto here RE: pending status.
13/11/19 14:40:08 - client GETs authzA’s HTTP-01 challenge
13/11/19 14:40:09 - client POSTs authzA’s HTTP-01 challenge, initiating the challenge.
client GET polls the challenge for a bit while it still reports status pending
13/11/19 14:40:13 - client GETs authzA’s HTTP-01 challenge, status is now valid, the HTTP-01 auth of srv162011.hoster-test.ru suceeded.
13/11/19 14:40:13 - client GETs authzB’s HTTP-01 challenge, it is pending because the challenge hasn’t been initiated.
13/11/19 14:40:14 - client POSTs authzB’s, HTTP-01 challenge, initiating the challenge.
client GET polls the challenge until 14:40:20 while it still reports status pending, but then seems to give up
13/11/19 14:40:47 - challenge is marked invalid server-side because www.srv162011.hoster-test.ru failed the HTTP-01 challenge.
13/11/19 14:45:24 - client now GET’s authzA’s DNS-01 challenge. It’s reported pending but the overall authz is already valid because of the HTTP-01 challenge.
13/11/19 14:45:25 - client POST’s authzA’s DNS-01 challenge. This is a no-op because the associated authorization is already valid.
client GET polls the challenge for a bit, it never changes from pending for the reasons listed above
13/11/19 14:45:30 - client GET’s authzB’s, DNS-01 challenge. Its returned with invalid status because the associated authz is invalid because of the failed HTTP-01 challenge attempt.

The main take away’s from the above is that your client first tried HTTP-01 first, passed one and failed the other. At this point you need to create a new order if you want to change to using DNS-01 authentication. Overall it looks like the client code is polling at the most fine-grained resource (challenges) instead of a higher level (order, or authorization) and I suspect changing the code to operate that way will work better.

One aspect of note to me is that the DNS-01 and TLS-ALPN-01 challenges in the authorization that was made valid by the HTTP-01 challenge are being reported “pending”. I think that might be a regression on our side. I would have expected these two unused challenges to be returned with status invalid. I’ll look into this more and bring it up with my colleagues. Edit: see follow-up comment, we’ll soon not be returning the other challenges in a valid/invalid authz

Hope this helps explain the situation. Good luck!

2 Likes

Update here: I found we do have code in place to be removing the unused challenges in a valid/invalid authorization (e.g. rather than reporting them pending forever). I thought we had deployed this code but it looks like we delayed the roll-out at the time it was implemented and it wasn’t picked up again. We’ll get this fixed shortly and that should help avoid the potential for this confusion to occur.

@byte Thanks for posting about this in the forum :slight_smile: We might not have noticed this missed roll-out as quickly otherwise.

3 Likes

Thank you, you best…)

3 Likes

This change was deployed to our staging environment yesterday. I’ve verified today that when I fail an authorization only the challenge with the invalid status/error is returned. The same should occur with one valid challenge in an authorization. We’ll likely promote this behaviour to production next week.

Thanks!

5 posts were split to a new topic: Help with polling challenges/authorizations