Failed to get certificate when one of the domains fails to verify challenge

I use the acme4j implementation for getting the certificate. However the acme4j implementation works in a way that if one of the domains fail to verify the challenge the whole process stops. I made some changes and tried bypassing even if one of the domains fails to verify the challenge. However i get the error stating “Order’s status (“invalid”) is not acceptable for finalization” while sending a csr. Is it possible to get a certificate even if one of the domains fail to verify the challenge? Help is aprreciated!!

There’s no built-in way in the current ACMEv2 implementation to ignore failed challenges. It was technically possible in ACMEv1 because authorizations were separate to orders, but currently Let’s Encrypt doesn’t allow pre-authorizations in its ACME v2 service.

That said, Certbot supports this behavior with --allow-subset-of-names.

From your post, I’m not sure whether you’re using acme4j as a library or client. But if you’re using it as a library, you can mimic the behavior.

My understanding of what Certbot does when that flag is passed is:

  • Create an order
  • Attempt all of the challenges (even if some fail)
  • Create a list of all of the challenges that were successful, and ignore the failed ones
  • Create a new order with the successful domains, and obtain the certificate
2 Likes

Sorry to reopen this again. At the time you posted this solution, when creating new order with list of successful domains I wasn’t prompted to verify challenge again. Previously I checked for either authorization status or challenge status to be valid or not and skipped the verification part. At that time I saw that the previously verified domains had status valid. Now it is showing pending. Could you please help me with this?

Let’s Encrypt authorizations only last 30 days (and this is subject to change, so you should not rely on it). Continued re-authorization of domains is required under the ACME protocol (and for all public certificate authorities in general).

Let me give you an example.
Let the domains be aaa.com, bbb.com, ccc.com. In this bbb.com isnt valid.
So now I create an order with aaa.com and ccc.com. Previously I didn’t verify the challenge again while I created the order. By checking the status alone I skipped the verification part. But now I am seeing that I need to verify the challenges for valid domains. I hope this is clear.

If you’re testing against the staging environment, it currently has authorization reuse completely disabled to make testing easier for users transitioning from TLS-SNI-01 to other challenge types. (While temporarily making life harder for ACME client developers trying to test authorization reuse!)

As an ACME client, you have to be prepared to receive pending or valid authorizations.

2 Likes

Sounds like we need a third system for the –dry-runners…

1 Like

Agreed! I have quietly complained to myself that we actually need dev+nonprod+prod, rather than staging+prod … to reflect how these services actually get used.

Ironic that I suggested this change and then promptly forgot that it happened :cry:

:joy::joy: but i dont get that that

part :stuck_out_tongue:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.