My domain is: noahsales.com

I ran this command:

It produced this output:

My web server is (include version): self-development

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

(1) Problem
The returned status of the challenge authorization is always "pending".
ACME client has prepared the challenging token value and answered the authorization challenge as well, however, the status is always "pending" when querying the challenge details.

(2) Background
The domain name: noahsales.com
The certificate was successfully downloaded by Certbot on February 4th 2024.
I decided to develop my own ACME client based on GitHub - PKISharp/ACMESharpCore: An ACME v2 client library for .NET Standard (Let's Encrypt) for the certificate format PEM cannot be handled in .Net Framework

(3) Operation
During the test development, the certificate was successfully downloaded from Let's Encrypt staging server.
I also noticed that It is OK to download the certificate repeatedly by using the same information of the account and order from the first-time registry.
However, the challenge status of “pending” was returned after running the procedures again, i.e., creating the account, creating the order…

(4) Question
Why Let’s Encrypt ACME server doesn’t request my web server for challenge verification (no access record in my web server log)?
Could you please reset some information about the domain name “noahsales.com” to make the certificate application go through (Please delete the existing information created by Certbot previously if possible)?
Is it related to the account key which it was created for the first time by Certbot? If it is true, how can I get back the account key created by Certbot (Certbot was uninstalled from my web server)?
More than 2/3 of 90 days have elapsed since the previous certificate was downloaded by Certbot. One month has also gone by since the last challenging authorization.
Please instruct how to apply for the certificate. Thanks in advance.

(5) The current data
The current order data:
{
"Payload": {
"status": "pending",
"expires": "2024-05-03T09:11:31Z",
"identifiers":[
{
"type": "dns",
"value": "noahsales.com"
},
{
"type": "dns",
"value": "www.noahsales.com"
}],
"authorizations": ["https://acme-v02.api.letsencrypt.org/acme/authz-v3/343234312657","https://acme-v02.api.letsencrypt.org/acme/authz-v3/343234312667"],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1681381387/264226685587"
},
"OrderUrl": "https://acme-v02.api.letsencrypt.org/acme/order/1681381387/264226685587"
}

The authorization challenge data:
[
{
"identifier": {
"type": "dns",
"value": "noahsales.com"
},
"status": "pending",
"expires": "2024-05-03T09:11:31Z",
"challenges":[
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312657/U1EeEg",
"status": "pending",
"token": "x09QA4TOdcNGdpuHYziAzCEO_breLaMwZG6gzHRJOLY"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312657/qI7dzQ",
"status": "pending",
"token": "x09QA4TOdcNGdpuHYziAzCEO_breLaMwZG6gzHRJOLY"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312657/RXEiSg",
"status": "pending",
"token": "x09QA4TOdcNGdpuHYziAzCEO_breLaMwZG6gzHRJOLY"
}]
},
{
"identifier": {
"type": "dns",
"value": "www.noahsales.com"
},
"status": "pending",
"expires": "2024-05-03T09:11:31Z",
"challenges":[
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312667/Pd1t5g",
"status": "pending",
"token": "iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312667/OcYyDA",
"status": "pending",
"token": "iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/343234312667/tTh6tw",
"status": "pending",
"token": "iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58"
}]
}]

What code are you calling to submit the challenge response? You need to tell the ACME CA you are now ready for them to check your answer.

You may also want to find a more actively developed .NET ACME library. That one doesn't appear to have had any code related commits for the last 4 years.

Thanks for the follow-up.

The challenge value is ready on http://www.noahsales.com/.well-known/acme-challenge/iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58

Responding to challenges by calling AnswerChallengeAsync from the library, which posts the challenge URL to the ACME server.

The steps ran well on Let's Encrypt staging server and downloaded the certificate successfully before deployment.

I also noticed the same problem during the development test. It was OK to use the information of the first-time application including the account key, order information, etc., to download the certificate repeatedly. However, when I ran the steps brand new (with the same email and same domain name), to create the account again, to create the order again, the status of the challenge authorization is always "pending" and it seems that Let's Encrypt will not come to query the challenge value anymore for some settings.

I think it would succeed if my ACME client applied for the certificate for the first time.

I wonder whether some information recorded on Let's Encrypt system created by the first application with Certbot block my current ACME client.

Hi there, the library implements the logic and it works although it has not been updated for a long time.
It worked during my development test.
Do you have any other advice to solve the problem? Thanks.

Using the online tool Let's Debug yields these results https://letsdebug.net/www.noahsales.com/1906559

ANotWorking
ERROR
www.noahsales.com has an A (IPv4) record (203.109.148.211) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://www.noahsales.com/.well-known/acme-challenge/letsdebug-test": EOF

Trace:
@0ms: Making a request to http://www.noahsales.com/.well-known/acme-challenge/letsdebug-test (using initial IP 203.109.148.211)
@0ms: Dialing 203.109.148.211
@559ms: Experienced error: EOF

IssueFromLetsEncrypt
ERROR
A test authorization for www.noahsales.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
203.109.148.211: Fetching http://www.noahsales.com/.well-known/acme-challenge/K79ByHbbLgIaNfb_zE5JyRBK9e76nJuk97-723OS554: Error getting validation data

And using curl

$ curl -i http://www.noahsales.com/.well-known/acme-challenge/iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 87

iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58.qCFzgOtp6wn2xippcK3c6npyGNsr1QHnVCwffGLgqrQ

This response isn't expected.

$ curl -i http://www.noahsales.com/.well-known/acme-challenge/sometestfile
curl: (52) Empty reply from server

Hi Bruce5051,

Thanks for the test.

I can understand the test report including the error ones.

The web server is a function module (a Windows service) of a point of sale system (POS), it is not the common web server, e.g. Windows IIS, Apache. It only processes the challenge values of the current order, e.g. "iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58" and "x09QA4TOdcNGdpuHYziAzCEO_breLaMwZG6gzHRJOLY", any other query values or post values will be ignored.

There is not the physical directory of .well-known/acme-challenge/, no data can be accepted and written into it.

Therefore, nothing will be responded to for any unknown URL request under .well-known/acme-challenge/, e.g. http://www.noahsales.com/.well-known/acme-challenge/sometestfile

Yes, the web server is listening for IP4 requests.

Could you please suggest adding any more web responses to meet the Let's Encrypt challenge authorization requirement? Thanks.

Passed Let's Debug after letting the web server bounce the token value.

[

Let's Debug

](https://letsdebug.net/)

Test result for noahsales.com using http-01

All OK!

OK

No issues were found with noahsales.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Submitted 17s ago. Sat in queue for 2ms. Completed in 16s. Show verbose information.

One thing to remember is that changes to ACME object states aren't always immediate, so for instance if you have completed all your challenges you then need to check the state of the order repeatedly (with a delay, see all RetryAfter header) until the order state changes.

That is a new idea to check the order status and I will add the check to the certificate application.

At the moment, my ACME client does the following steps:
(1) prepare the challenge value to wait for the ACME server to query
(2) Post each challenge URL to the ACME server
(3) Poll each challenge status
(4) Post each authorization URL in the order to the ACME server
(5) Finalize order when all authorization statuses are "valid"

The steps worked well when testing in the ACME staging server.

The main problem is that the ACME server doesn't access my web server to check the challenge value. There is no record from my web server log.

The expiration period of an order is a week. I kept watching for one week on the previous order and didn't see the log showing ACME server came to query the challenge value.

Do you know what factors affect the ACME server to check the challenge value from the web server?

If you have previously completed a challenge for your domain on the Product let's encrypt API then that authorization will stay valid for up to 30 days.

If you are not seeing validation attempts for a domain that hasn't been validated yet, check your firewall is not simply blocking them.

After you have submitted your challenge you cannot proceed to any other step until your chosen challenges are responding as valid (or invalid, in which case you report the error and stop). The possible statuses of a challenge are listed here: RFC 8555 - Automatic Certificate Management Environment (ACME) - if they are still marked pending then the CA is not aware that you have asked

An order will complete in seconds, and at most a minute or so in all established ACME certificate authorities. You do not need to wait for wait a week for anything unless you are waiting for a rate limit to expire.

I think win-acme uses a version of the same library you are trying to use, so you could get some inspiration from that: win-acme/src/main.lib/Clients/Acme/AcmeClient.cs at master · win-acme/win-acme · GitHub

Hi webprofusion, thanks for your support.

It is probably why the CA doesn't attempt to verify the challenge value from my web server.

I see the initial status of a new order is "Pending". The status of the authorization challenge of the new order is "Pending" as well.

Are the initial status values "Pending" for both a new order and the authorization challenge?

Does the previous certificate application make the status "Pending"? (Certbot downloaded the certificate successfully on February 4th, 2024, more than 30 days ago).

Does CA resume processing my certificate application normally if I submit my order again after 30 days or after the certificate expires in 90 days?

Could you please remove all the related data of "noahsales.com" in the CA database submitted by the Certbot application?

My ACME client answers the authorization challenge by posting the challenge URL to CA server in every 3 hours.

http://www.noahsales.com/.well-known/acme-challenge/iVrqtL3Ch30OINotfcC0_SkXI9LnzcoRVD-RXpqbL58

http://www.noahsales.com/.well-known/acme-challenge/x09QA4TOdcNGdpuHYziAzCEO_breLaMwZG6gzHRJOLY

Could you please investigate the CA server log to see what action is taken and how the challenge request is ignored?

My web server firewall is open for the port 80 and 443.

I referred to Win-ACME source code that I chose to use GitHub - PKISharp/ACMESharpCore: An ACME v2 client library for .NET Standard (Let's Encrypt)

Excuse me for raising a little request for I cannot test with a new domain name, to see if there is any unexpected result.

Could you please use Certbot to apply the certificate for a domain name, then uninstall Certbot, then use win-acme to apply the certificate for the same domain name with the same email to create the account, and finally use Certbot to apply again, in the Windows operating system?

Nobody here can investigate anything on the CA side for you. I would suggest using an established ACME client instead of spending much time developing your own. I am the developer of https://certifytheweb.com - you could try that, or just use win-acme itself.

Good idea. Let me try https://certifytheweb.com/. Thanks

https://certifytheweb.com/ works! The certificate has been downloaded and https://www.noahsales.com can be accessed now.

Thank you very much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.