I ran this command: “renew” in the Plesk LetsEncrypt extension interface. Same error is thrown if I first de-activate the existing LetsEncrypt certificate for that domain and try to install a new one via the “install” command in the Plesk LetsEncrypt extension interface.
It produced this output:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/37915625/354752036.
Details:
Type: urn:ietf:params:acme:error:orderNotReady
Status: 403
Detail: Order's status ("pending") is not acceptable for finalization
My web server is: Apache 2.2.22-1ubuntu1.11
The operating system my web server runs on is: Ubuntu 12.04.5 LTS
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: : Plesk Onyx 17.0.17
The version of my client is: Plesk LetsEncrypt extension, version 2.7.3, release 474
A certificate for that domain was previously installed successfully, .well-known folder can be written and is accessible, so all configuration settings should be working. Yet, I’m receiving an “orderNotReady” error. Could someone please tell me what it means in the first place, and how it can be solved? Does the “pending” mean that something can/should be reset somehow?
orderNotReady is a sign that the extension tried to finalize an order without actually having fulfilled the required authorizations. That is a sign of a client bug.
Thanks, @_az for your quick reply. Yet, I can successfully issue LetsEncrypt certificates for other domains, so the client is working (mostly?). Should I report on the general Plesk forum, or are there more directed channels for the LetsEncrypt extension?
In case this is relevant: I did previously extend the certificate for the problem domain with the plesk bin extension --exec letsencrypt cli.php command, using the -d flag. This went without problems as well, but I have been experimenting with a script to automatically extend this certificate after auto-renewal (since that’s dropping the extended subdomain aliases from the certificate). Anyway, this might be the relevant part: I had purposely tried to extend the certificate with a non-existent subdomain that I knew wouldn’t resolve properly, to check if errors would be reported properly. Of course that failed, but could this be a possible reason for the “pending” status? And a clue for resetting it somehow?
If it might help other Plesk users: I've dived in the /opt/psa/var/modules/letsencrypt folder, where I found an orders subfolder, with files containing what seems like JSON status reports. I've temporarily moved the one for the problematic domain (containing "status":"pending", indeed) out of the way, after which I could renew the certificate again (and a new JSON order status file is generated, containing "status":"valid").
Phew, thanks a million for pointing me in this direction!