Order not in ready state, all challenges are valid

I have an order for fincharm.com www.fincharm.com. Both associated authorizations are valid, however the order state is valid and not ready, hence technically not ready to be finalized.

I invalidated the order and created a new one, and the new one completed immediately. I suppose somehow the previous order ended up in an incorrect state.

Do you concur with my reasoning? Can I somehow trigger a refresh of the current order, or is it fine for now to simply ignore it and create a new one?

Hi @weppos

sounds like a temporary problem. But:

If the next try worked, ignore it. Looks like a special case.

:wave: @weppos,

Can you share the order URL?

Hi @weppos,

The order status is "valid" and not "ready" because it has already been finalized. You shared the order URL out of band and I was able to verify that there is a "certificate" field on the order pointing to the issued certificate that was created at finalization time.

The "valid" status for an order object is a terminal state based on the specification's status change state machine. An order can't change from "valid" to any other status, which also precludes finalizing the same order twice to get a duplicate certificate.

How did you try to invalidate the order? It seems like the order and its authorizations remain in the "valid" status. Re-creating the order and finalizing it would be the expected way to issue a duplicate certificate vs trying to finalize the same order twice - glad to hear that worked as expected!

Is there a chance your integration missed the fact it had already finalized the order and became confused by the apparent order status mixup?

Hope that helps!

My bad, for some reason I thought the order went to valid then ready, not vice-versa. I may have misread the RFC.

Good point. Sorry, I should have been more explicit. I invalidated the local cache of the order, forcing our system to generate a new order for the same identifiers.

I am noticing quite a bit of network errors lately. Errors like "can't find the account", unable to get authorization, etc. (I can trace them if you need more debug details).

It's possible the connection somehow crashed while the order was being finalized, and our system did not properly handle the state. When it re-run it expected it should be ready and instead it was already finalized.

I'll enhance our system to handle the valid case.

No worries :slight_smile:

:+1: - makes sense!

Sure, that would be great thanks!

One error that just happened a few times is

failed check for existing account

I suppose the origin is https://github.com/letsencrypt/boulder/blob/aac0e3d12266643cd4bb4e2714cc862ee4249926/wfe2/wfe.go#L482

There are a few others but I suppose they may be network errors. I am going to make a change and see if it improves the interaction (we currently don't pass the kid hence the client requires a call to account to retrieve it each time it is instantiated).

Thanks! It would be helpful if you had UTC timestamps for these events as well.

Sounds good :+1:, thanks @weppos

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.