Having just started looking into an ACME draft (0.9), I found that it is a bit vague in terms of a flow when it comes to errors (unless I’m missing something). So, if we take an example of an attempt to issue a certificate for a single domain against API v2, the flow seems to be as follows (simplified):
Issue new-acct (let’s imagine this bit always works fine).
Issue new-order (at this point you will get authorizations block in the response).
Pull the authorization URL and pick a challenge.
Respond to a challenge (Do whatever challenge requires and POST to a challenge URL).
Finalize order.
Now imagine that you can only use HTTP challenge and you fail it. On an attempt to retry you will find that new-order points to exactly the same document, which is now in “processing” state and the authorization URL shows that HTTP challenge is invalid, while the DNS one is pending. Keep in mind that the directory does not list new-authz. Additionally you cannot finalize non-pending order and you cannot deactivate invalid authorizations (only valid and pending ones). So, what is expected workflow in this case?
Does not quite look like that bug. Also interesting that an attempt to invalidate the pending challenge (dns) while ‘http’ one is already in invalid state, seems to return “Unable to update challenge :: authorization is not pending”. I understand that changing the set of names would result in a new order and everything, but it would be nice to get a better picture of what the workflow is supposed to be in terms of errors processing and perhaps the ways of cancelling/invalidating orders which will or may not be completed (for whatever reason).
I’m seeing the same problem, in that if my http-01 challenge fails (I didn’t serve it properly), I can’t see how to begin a new http-01 authorization. Attempting to start again gives me the existing order with the ‘invalid’ http-01 challenge.
It does sound like you’ve hit https://github.com/letsencrypt/boulder/issues/3333, combined with another issue (can’t find it at the moment) that we still display the non-chosen challenges even after one has been chosen.
OK, good to know, thanks So presumably, once fixed, failing the chosen authz would result in getting an actually new order on new-order retry. Does that sound right?
So presumably, once fixed, failing the chosen authz would result in getting an actually new order on new-order retry. Does that sound right?