I use the acme4j implementation for getting the certificate. However the acme4j implementation works in a way that if one of the domains fail to verify the challenge the whole process stops. I made some changes and tried bypassing even if one of the domains fails to verify the challenge. However i get the error stating “Order’s status (“invalid”) is not acceptable for finalization” while sending a csr. Is it possible to get a certificate even if one of the domains fail to verify the challenge? Help is aprreciated!!
There’s no built-in way in the current ACMEv2 implementation to ignore failed challenges. It was technically possible in ACMEv1 because authorizations were separate to orders, but currently Let’s Encrypt doesn’t allow pre-authorizations in its ACME v2 service.
That said, Certbot supports this behavior with
From your post, I’m not sure whether you’re using acme4j as a library or client. But if you’re using it as a library, you can mimic the behavior.
My understanding of what Certbot does when that flag is passed is:
- Create an order
- Attempt all of the challenges (even if some fail)
- Create a list of all of the challenges that were successful, and ignore the failed ones
- Create a new order with the successful domains, and obtain the certificate