Order Pending - I don't know what's happening

mlopesbjj · October 14, 2020, 3:10pm

I ran this command:
var cert = await order.Generate(new CsrInfo
{
CommonName = dns,
}, privateKey);

It produced this output:
Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/finalize/99302913/5685652698'.
urn:ietf:params:acme:error:orderNotReady: Order's status ("pending") is not acceptable for finalization

My web server is (include version):
IIS

The operating system my web server runs on is (include version):
Windows Server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
no

jvanasco · October 14, 2020, 4:08pm

"pending" means you have not completed all - or failed any - ACME challenges.

Why that happened? I don't know. No one will be able to help you, because you failed to disclose any of the required information you were asked to provide.

mlopesbjj · October 14, 2020, 10:47pm

@jvanasco I sent the information, look...
My domain is:
bi.dallan.com

I ran this command:
var cert = await order.Generate(new CsrInfo
{
CommonName = dns,
}, privateKey);

It produced this output:
Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/finalize/99302913/5685652698'.
urn:ietf:params:acme:error:orderNotReady: Order's status ("pending") is not acceptable for finalization

My web server is (include version):
IIS

The operating system my web server runs on is (include version):
Windows Server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
no

jvanasco · October 14, 2020, 11:08pm

You did not send the required information. You left most fields blank. Most importantly, you did not specify what program, library, or ACME client you are using.

There are hundreds, if not thousands, of ACME clients and libraries. The raw code you pasted could be from any one of them.

No one will be able to troubleshoot your problem based on the information you provided.

mlopesbjj · October 15, 2020, 8:51am

I'm using ACME Client "Certes" v: 2.3.3

But, I'm having problem a just one server.

_az · October 15, 2020, 9:03am

@mlopesbjj As Jonathan mentioned, it's very difficult to diagnose the problem from the very little code you have provided.

In broad terms, the error means that your program did not successfully respond to all of the required challenges in the order you created.

You have called order.Generate without first completing a challenge in each authorization.

Perhaps we would be able to point out the problem in your program if you posted the program in its entirety, but that snippet you posted isn't enough.

mlopesbjj · October 15, 2020, 9:10am

@_az Hi, thanks for answer.
public class AcmeHelper
{
private static Logger logger = LogManager.GetCurrentClassLogger();

    public static async Task<X509Certificate2> GenerateCert(string dns)
    {
        AcmeHost challengeResponder = null;
        try
        {
            //Checking port
            if (NetworkingHelper.IsPortInUse(80))
            {
                throw new Exception("Port 80 is currently in use, cannot start the ACME challenge responder. Certificate request will be canceled");
            }

#if DEBUG
logger.Warn("Running in debug mode, will use the LetsEncrypt Staging server!");
Uri letsEncryptUri = WellKnownServers.LetsEncryptStagingV2;
#else
Uri letsEncryptUri = WellKnownServers.LetsEncryptV2;
#endif
{

                var acme = new AcmeContext(letsEncryptUri);
                var account = await acme.NewAccount("mlopesbjj@gmail.com", true);
                var tos = acme.TermsOfService();
                var order = await acme.NewOrder(new[] { dns });
                var authz = (await order.Authorizations()).First();
                var httpChallenge = await authz.Http();
                var keyAuthz = httpChallenge.KeyAuthz;
                var token = httpChallenge.Token;

                challengeResponder = new AcmeHost(token, dns);
                try
                {
                    challengeResponder.StartWebApiHost();
                    AcmeResponderController.KeyAuthorization = keyAuthz;
                }
                catch (Exception ex)
                {
                    logger.Error(ex, "Error while starting the ACME responder service, canceling certificare request");
                    try { challengeResponder.StopWebApiHost(); } catch { }
                    throw;
                }

                await httpChallenge.Validate();
                logger.Info("11 - httpChallenge: " + httpChallenge.Location);

                var res = await authz.Resource();
                logger.Info("12 - res: " + res);

                var privateKey = KeyFactory.NewKey(KeyAlgorithm.RS256);
                var cert = await order.Generate(new CsrInfo
                {
                    CommonName = dns,
                }, privateKey);

                return x509cert;
            }
        }
        catch (Exception ex)
        {
            logger.Error(ex, "An exception occurred while requesting certificates: " + ex.Message);
            throw ex;
        }
        finally
        {
            //Close the web api responder
            try { challengeResponder.StopWebApiHost(); } catch { }
        }
    }
}

_az · October 15, 2020, 1:02pm

Thanks, that's much clearer.

Certes' documentaton does not explain this, but after you call Validate on a challenge, you need to poll and wait until the authorizations transition to either the valid or invalid state.

If you don't wait after calling Validate, then sometimes it will work, and sometimes it won't (depending how fast the Let's Encrypt server checks the challenge). You don't want to do that.

If you take a look at this test case in Certes' source code, you can see how the author has created a polling loop where they wait for each authorization to be in either the invalid or valid state.

If you do that, then you will be able to safely call order.Generate without encountering this "order pending" error. (Though I recommend using a much longer delay than the 100ms that code uses).

I hope that helps.

mlopesbjj · October 15, 2020, 12:58pm

@_az Thank you very much for the help.
I adjusted the program and managed to get the correct return.
Now it is returning me as "invalid", but I believe that this problem is already an infrastructure problem that this machine is not the machine that responds to the request address.