How can I clear pending authorization?


#1

Clearing Pending Authorizations
If you have a large number of pending authorization objects and are getting a rate limiting error, you can trigger a validation attempt for those authorization objects by submitting a JWS-signed POST to one of its challenges, as described in the ACME spec. The pending authorization objects are represented by URLs of the form https://acme-v01.api.letsencrypt.org/acme/authz/XYZ, and should show up in your client logs. Note that it doesn’t matter whether validation succeeds or fails. Either will take the authorization

this is from https://letsencrypt.org/docs/rate-limits/
but I can’t understand this.
If I have 300 token for authorization. How can I clear pending authorization?
just delete 300 token?


#2

You shouldn’t be hitting this limit. Can I ask what you are doing to reach the limit ?

Essentially you should complete the process for those 300 pending authorizations.

If you are testing / developing code, you should be using the test server, not the live server,which doesn’t have the same limits.

Clearing Pending Authorizations

If you have a large number of pending authorization objects and are getting a rate limiting error, you can trigger a validation attempt for those authorization objects by submitting a JWS-signed POST to one of its challenges, as described in the ACME spec. The pending authorization objects are represented by URLs of the form https://acme-v01.api.letsencrypt.org/acme/authz/XYZ, and should show up in your client logs. Note that it doesn’t matter whether validation succeeds or fails. Either will take the authorization out of ‘pending’ state. If you do not have logs containing the relevant authorization URLs, you need to wait for the rate limit to expire. As described above, there is a sliding window, so this may take less than a week depending on your pattern of issuance.

Note that having a large number of pending authorizations is generally the result of a buggy client. If you’re hitting this rate limit frequently you should double-check your client code.


#3

Hello, long time no see! :smile: f I run my service,
Do you remember my service?
my company’s service is issuing token to user and user add their txt record
and we can issue certificate.

So,
Many Clients issue token and we will wait for changed DNS.
So That pending authorizations can be over 300.
I just wonder how can I reset pending authorizations.

If I issue token, that will last forever?
or token is not pending authorization?

thx.


#4

You have over 300 clients that you have issued tokens for, and they haven’t yet added as a txt record to their DNS ?

If that is the case, then I misunderstood your setup - please explain again what you are trying to do, as your current approach probably isn’t optimal for those sort of numbers.


#5

nonono I didn’t start let’s encrypt at our service.
In case, our clients issue token
but if they didn’t add token.
they will be burden for our service.

So I want to remove authorization for this user.
If I am wrong with any part, please advise to me.
Thx.


#6

So, if I understand correctly, you haven’t hit this limit. You are just concerned you may hit this limit, is that correct ?

Again, if you are talking about 100’s of clients, then I think your method / approach is wrong - you really shouldn’t be doing it this way.

You can remove the “pending” authorization, by trying to authorize. Whether it passes or fails that autorization it will remove the pending authorization. As stated above;


#7

Uhm I am so sorry
My language was so bad.
I want to question again!

I divided getssl for 2 parts.
first part is to issue token for Let’s Encrypt.
So, If many user can issue token & not add txt record.

I periodically trying to authorize token, but txt record not added,
so that token will remain & pending count arise.
Is it right?
If I try to authorize token and If authorization succeed or fails, that token will be removed?
Then pending count decrease?

Thx.


#8

Yes.

If you are doing this for 100’s of clients though … this is NOT a good method.


#9

Hello,

Why do you think that?

I was planning to run cron for authorizing every user’s issued token per 30 minutes.

thx.


#10

And how will that help !!!

You give someone a token, and then sometime within the next 30 minutes you get LE to test if that token is there, they haven’t had time to upload it yet, so it fails. The pending token is removed ( because it fails). an hour later they upload the token. It’s no longer a valid token though ( as it’s been tested, failed and removed as a valid token) … As above, the system you are setting up seems designed to fail - it’s not a good method.

I’d suggest either reading and understanding the ACME protocol, or paying someone who understands it to develop a system that meets your requirements.


#11

ohohoh
I am so sorry
I mean
Check Txt record and after then authorizing user’s token
That will be right, isn’t it?

thx.


#12

Again, how will that help ?


#13

my plan’s Cron has 2 steps.
First, check all txt record has token
and If it is, then authorize the domain.
That will not make crash because of not added token.
Isn’t it?


#14

You appear to be designing a system that will not work - hence my question of “how will that help”

I have already said several times, in my view your method is not a good one,

My question here was how do you think your cron every 30 mins will help you achieve your aims ? in my view, if you have hundreds of clients then in itself, it won’t.


#15

I am so sorry that you said same thing several times…
I don’t know why it is bad design that will not work.

User has txt record until they add record
and when I check the change
then I can issue certificate by authenticating.
Isn’t it right?

I have to be one who understands it to develop a system.

Can you describe why it will not work and
can you suggest alternative?

thx.


#16

You keep asking the same question here “the sky is blue, right?” and the answer could be yes … but the fact that the sky can be blue does not help you achieve your aims of obtaining certificates for clients - hence my question of “How does that help?” which you never answer. From what you have stated in this thread is the problem - then your suggested cron job does not solve that problem, hence why I say your design / method will not work.

Then I’d suggest reading and understanding the ACME specification - and Boulder divergences from ACME


#17

so sorry
that I always request you to give me an answer.
but I am very bad at english so I read and read and finally couldn’t understand
then I question to you.

If you are mad at me, really sorry.
but I fear to read that all documentation & don’t want to question for you again & again.

However, I want to know more deeply at ACME & understand.
So, Can you give me a guideline at documentation?


#18

If you want to understand fully the ACME protocol, then I can only suggest either translating it, or working with someone who understands your language, English and the basics of computer programming / design.


#19

Yeah English is basic language of Computer Science.

But, Can’t you suggest in view of “Token Issuing”…?


#20

I’m not sure what you want. I’ve suggested already that you get someone involved in your project who understands the ACME protocol and could help you design a method that works. You rejected that opinion and said that you “have to be one who understands it to develop a system.”

If you have to be the one who understands it to develop the system, then the only option I see is that you learn about the ACME standard in the links already provided ( or getting them translated / working with someone who understands English well enough to explain it to you ).

I, or others, could help develop a system for you that meets your requirement. As above though, you have already rejected that option.