Failed to get certificate when one of the domains fails to verify challenge


#1

I use the acme4j implementation for getting the certificate. However the acme4j implementation works in a way that if one of the domains fail to verify the challenge the whole process stops. I made some changes and tried bypassing even if one of the domains fails to verify the challenge. However i get the error stating “Order’s status (“invalid”) is not acceptable for finalization” while sending a csr. Is it possible to get a certificate even if one of the domains fail to verify the challenge? Help is aprreciated!!


#2

There’s no built-in way in the current ACMEv2 implementation to ignore failed challenges. It was technically possible in ACMEv1 because authorizations were separate to orders, but currently Let’s Encrypt doesn’t allow pre-authorizations in its ACME v2 service.

That said, Certbot supports this behavior with --allow-subset-of-names.

From your post, I’m not sure whether you’re using acme4j as a library or client. But if you’re using it as a library, you can mimic the behavior.

My understanding of what Certbot does when that flag is passed is:

  • Create an order
  • Attempt all of the challenges (even if some fail)
  • Create a list of all of the challenges that were successful, and ignore the failed ones
  • Create a new order with the successful domains, and obtain the certificate