Installing/renewing certificate on Plesk fails with urn:ietf:params:acme:error:orderNotReady


#1

My domain is: extra.kantl.be

I ran this command: “renew” in the Plesk LetsEncrypt extension interface. Same error is thrown if I first de-activate the existing LetsEncrypt certificate for that domain and try to install a new one via the “install” command in the Plesk LetsEncrypt extension interface.

It produced this output:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/37915625/354752036.
Details:
  Type: urn:ietf:params:acme:error:orderNotReady
  Status: 403
  Detail: Order's status ("pending") is not acceptable for finalization

My web server is: Apache 2.2.22-1ubuntu1.11

The operating system my web server runs on is: Ubuntu 12.04.5 LTS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: : Plesk Onyx 17.0.17

The version of my client is: Plesk LetsEncrypt extension, version 2.7.3, release 474

A certificate for that domain was previously installed successfully, .well-known folder can be written and is accessible, so all configuration settings should be working. Yet, I’m receiving an “orderNotReady” error. Could someone please tell me what it means in the first place, and how it can be solved? Does the “pending” mean that something can/should be reset somehow?

Many thanks!

Ron


#2

Report it to Plesk.

orderNotReady is a sign that the extension tried to finalize an order without actually having fulfilled the required authorizations. That is a sign of a client bug.

Curiously similar issue to Multi-domain Cert using Crypt:LE and DNS.pm Module , even though that one is a totally separate ACME client. I wonder if some behavior really has changed at the CA.


#3

Thanks, @_az for your quick reply. Yet, I can successfully issue LetsEncrypt certificates for other domains, so the client is working (mostly?). Should I report on the general Plesk forum, or are there more directed channels for the LetsEncrypt extension?

In case this is relevant: I did previously extend the certificate for the problem domain with the plesk bin extension --exec letsencrypt cli.php command, using the -d flag. This went without problems as well, but I have been experimenting with a script to automatically extend this certificate after auto-renewal (since that’s dropping the extended subdomain aliases from the certificate). Anyway, this might be the relevant part: I had purposely tried to extend the certificate with a non-existent subdomain that I knew wouldn’t resolve properly, to check if errors would be reported properly. Of course that failed, but could this be a possible reason for the “pending” status? And a clue for resetting it somehow?


#4

If you did unorthodox stuff, then it’s possible that leads to the extension malfunctioning.

One way to fix it would be to “forget” all of your Let’s Encrypt settings (your account especially).

However, I have no idea where Plesk stores these settings for each account.


#5

Thanks again, @_az, your hint did it!

If it might help other Plesk users: I’ve dived in the /opt/psa/var/modules/letsencrypt folder, where I found an orders subfolder, with files containing what seems like JSON status reports. I’ve temporarily moved the one for the problematic domain (containing "status":"pending", indeed) out of the way, after which I could renew the certificate again (and a new JSON order status file is generated, containing "status":"valid").

Phew, thanks a million for pointing me in this direction!