Error when finalizing order

Hi, lately I’m randomly getting an errors when calling the finalize order API:

{“type”:“urn:ietf:params:acme:error:orderNotReady”,“detail”:“Order’s status (“processing”) is not acceptable for finalization”,“status”:403}
OR
{“type”:“urn:ietf:params:acme:error:serverInternal”,“detail”:“Error finalizing order”,“status”:500}
OR
{“type”:“urn:ietf:params:acme:error:orderNotReady”,“detail”:“Order’s status (“valid”) is not acceptable for finalization”,“status”:403}

What should be done before calling the finalize API to avoid those errors?

Thanks

It sounds like your ACME client is assuming that finalization is going to succeed on the first request. But that's not always the case. You need to have a finalization loop.

From RFC 8555 - Automatic Certificate Management Environment (ACME) ,

If a request to finalize an order is successful, the server will
return a 200 (OK) with an updated order object. The status of the
order will indicate what action the client should take:

o "invalid": The certificate will not be issued. Consider this
order process abandoned.

o "pending": The server does not believe that the client has
fulfilled the requirements. Check the "authorizations" array for
entries that are still pending.

o "ready": The server agrees that the requirements have been
fulfilled, and is awaiting finalization. Submit a finalization
request.

o "processing": The certificate is being issued. Send a POST-as-GET
request after the time given in the Retry-After header field of
the response, if any.

o "valid": The server has issued the certificate and provisioned its
URL to the "certificate" field of the order. Download the
certificate.

So the client needs to behave like this:

  1. Confirm that the order status is ready
  2. Submit the CSR in the finalize call
  3. Check the status:
    a. If it is processing, wait some time, and check the status again with a POST-as-GET request.
    b. if it is valid, you can download the certificate
    c. Any other status is an error and you need to abort
1 Like

Thanks for the quick answer.
The client post the finalize request only after all the authorizations of the order are moved to a valid state.
So after this validation, I should wait again? which status the order should be before posting the finalize request?

The order of the status will be ready, which reflects that all of the authorizations have been completed.

Your problem is caused by what you do after the finalization call.

This would happen if you finalized an order more than once.

Again, this would only happen if you tried to finalize an order more than once.

I suspect that your client is not properly checking the status of the order after the first finalization call, and is trying to finalize it multiple times.

2 Likes

Thanks

I find the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.