Finalize stays in 'processing' state in staging environment

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vcsa.dynu.com

I ran this command:

https://acme-staging-v02.api.letsencrypt.org/acme/finalize/49438248/8664274334

It produced this output: The order status is 'ready' and the finalize always returns 'processing'.

BTW, is CAA record mandatory for the sub-domain. It does have a CAA record but I wanted to know if it is mandatory.

CAA is never mandatory. If no CAA record exits in the DNS hierarchy, all CAs are allowed.

Staging currently has asynchronous order processing enabled. You might need to poll the order a few times until it is ready.

If the order stays in processing for multiple minutes, staging may be experiencing temporary issues.

4 Likes

I have been polling both the order and finalize since yesterday. Do I have to keep having the CSR as part of the finalize every time I poll or is there a way to poll finalize without the CSR?

The certificate is not in processing, it's valid and the certificate has been issued: https://acme-staging-v02.api.letsencrypt.org/get/order/49438248/8664274334.

You call finalize and then poll the order URL.

5 Likes

Thanks! I was able to obtain the certificate. BTW, how did you get the below URL? I don't see it in any of the response payloads nor the directory.

https://acme-staging-v02.api.letsencrypt.org/get/order/49438248/8664274334

3 Likes

https://acme-staging-v02.api.letsencrypt.org/acme/finalize/49438248/8664274334
https://acme-staging-v02.api.letsencrypt.org/ get / order /49438248/8664274334

hmm...
Intuition?

3 Likes

Thanks for your feedback! However, I can't quite follow how you were able to deduce that 'acme' should be replaced by 'get' and 'finalize' should be replaced by 'order'.

I am trying to figure out where this is documented or what response its part of. I am using the documentation below.

The reason I am trying to know this is because there maybe other URLs that I am not aware of but may be useful for the implementation.

2 Likes

It's a great question and one whose answer is best left to _az or similar dev.

But, note that this:

https://acme-staging-v02.api.letsencrypt.org/acme/order/49438248/8664274334

returns the same result as

https://acme-staging-v02.api.letsencrypt.org/get/order/49438248/8664274334
3 Likes

Right on! I was able to find the below in the documentation.

https://acme-staging-v02.api.letsencrypt.org/acme/order/49438248/8664274334

2 Likes

Docs are one way to learn. Another is to install Certbot and use it to get a cert. It has a very nice log of all the flows. Of course, that's just the good, normal flows. If you are writing a client you need to handle all the odd stuff too.

3 Likes

Yup, I have been using the source code of couple clients to get ahead.

1 Like

To answer my own question, the URL below was in the 'Location' response header field. I will keep a watch out for the value in that field for all future requests.

https://acme-staging-v02.api.letsencrypt.org/acme/order/49438248/8664274334

1 Like

That's I believe just an undocumented "feature" to circumvent the "POST-as-GET" requirements for the /acme/ URLS, making debugging a lot easier.

That's just how the ACME protocol works. You trigger the finalization and after that, the finalize URL isn't useful any longer and you should go back to polling the order. Reading this RFC is unfortunately not very easy IMO. Information is spread out across different places. I believe the protocol could be more condensed, more "syntax" and less words..

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.