Order doesn't get ready

Tommy381 · May 11, 2020, 9:38am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: got-jena.de

I ran this command: ran a ps script referring acme client to renew the certificate for autodiscover.got-jena.de and david.got-jena.de

It produced this output: got the message that Authorization for both is VALID, but Get-PAOrder -Refresh brings Order is NOT ready

My web server is (include version): Windows Server IIS

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

_az · May 11, 2020, 9:47am

Can you show us the order URL?

Tommy381 · May 11, 2020, 10:02am

try {
$auths = $LEOrder | Get-PAAuthorizations
$PublishAuths = auths | Select @{L='Url';E={"http://(_.fqdn)/.well-known/acme-challenge/(_.HTTP01Token)"}},@{L='Filename';E={(_.HTTP01Token)}},@{L='Body';E={Get-KeyAuthorization _.HTTP01Token (Get-PAAccount)}}
foreach ($PublishAuth in $PublishAuths) {
$filename = $AcmeFolder + “” + $PublishAuth.Filename
$authfile = out-file $filename -InputObject $PublishAuth.Body -Encoding ASCII
#Write-ACMELog “LE System” “Info” “Successfully created authorisation file: $filename”
}
}

_az · May 11, 2020, 10:09am

Sorry, I meant to ask for the URL of your actual order object which isn’t transitioning to ready.

Like https://acme-v02.api.letsencrypt.org/acme/order/xxxx/yyyy

The reason that the order isn’t transitioning to ready would be that there are still authorizations remaining in the pending state, so it would be useful to get the URL so we can look at the authorizations manually.

Tommy381 · May 11, 2020, 10:33am

Unfortunately, the PS script is autogenerating the order URL and doesn’t show me,
in the ACME log I can only find this: https://acme-v02.api.letsencrypt.org/acme/acct/85819055

_az · May 11, 2020, 10:52am

You might be able to find it in an order.json inside the config directory.

Tommy381 · May 11, 2020, 11:04am

https://acme-v02.api.letsencrypt.org/acme/order/77848641/3322142895

_az · May 11, 2020, 11:07am

If you click through to the authorizations at that URL, you'll see that they both failed:

Fetching http://autodiscover.got-jena.de/.well-known/acme-challenge/PMMJpPLaKQbPFeWW_pKsJ6BLj1qFgnyYkVVgykTqdwA: Timeout during connect (likely firewall problem)

Fetching http://david.got-jena.de/.well-known/acme-challenge/y4cx5d3MzvUVJJ4P-mhFm8ApFouKbARlfVbMYTWYp6Q: Timeout during connect (likely firewall problem)

And indeed, your IP seems to not allow connections to port 80:

$ curl -m10 david.got-jena.de
curl: (28) Connection timed out after 10001 milliseconds

Tommy381 · May 11, 2020, 11:19am

So it is needed that 443 AND 80 are open?

Just made a second dnat entry for port 80 in the firewall, and it worked! I wonder how it worked 3 months ago. Maybe another admin made a temp dnat for 80, and later removed that.

Thanks for your help!

system · June 10, 2020, 11:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.