Python, how to respond to 'Order's status ("valid") is not acceptable for finalization'

Hello,

I sometimes (non-deterministically) receive an error “Order’s status (“valid”) is not acceptable for finalization” when I try to call acme-client’s poll_and_finalize on an order. I thought the order status should be “ready” before “valid”, and in that state I can finalize it. However, I am unsure what is happening to cause it to be valid. At any rate, is it possible to “refresh” my order, so that I can see the order in Python and be able to access the certificate URI?

Acme order URI: https://acme-staging-v02.api.letsencrypt.org/acme/order/6557164/34751266

Here is the specific code I am using if it helps: https://github.com/Netflix/lemur/blob/master/lemur/plugins/lemur_acme/plugin.py#L170 . We are using DNS-01.

My domain is: 1.nflxso.netflixtest.net

Some other information that may help: There may be multiple certificate requests created for the same set of domains (These tests tend to happen as part of an integration test suite). In this scenario, will LetsEncrypt create different certificates for me, or if it sees two identical certificate requests from the same account, will it give me identical tokens and an identical cert? (If it is the latter situation, then the order may have been finalized already by another worker)

Update: I think my last paragraph describes the situation that is happening. I tried making two orders with the same set of domains, but different CSRs, and I got back the same order URI. So I have two workers that are processing the same order in this situation.

This is confusing, shouldn’t I be getting a unique order ID back since I passed in different CSRs? Could this be a bug in Boulder?

This is from the order object in Python:

Order URI 1: https://acme-staging-v02.api.letsencrypt.org/acme/order/6557164/34753790

CSR 1:
-----BEGIN CERTIFICATE REQUEST-----
MIIDBjCCAe4CAQAwga8xIzAhBgNVBAMMGiouMS5uZmx4c28ubmV0ZmxpeHRlc3Qu
bmV0MSUwIwYJKoZIhvcNAQkBFhZjY2FzdHJhcGVsQG5ldGZsaXguY29tMRYwFAYD
VQQKDA1OZXRmbGl4LCBJbmMuMRMwEQYDVQQLDApPcGVyYXRpb25zMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJTG9zIEdhdG9zMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1mOiINHPUJMtS3LCZEiXe/R
jn4Xri7ujlA7JC+sL2RS0EhBAeSfl6mQmk9hMBuvqJ76tMnxsmtWXfTfr1U9Vmv3
GgWyKQRMxG6ROjQwDrTiwbafzwRTC1hu3FU3ktE4CcHXTMVcRfr7HUlda+vjjo5Z
AWMQv/wscvXyFTMllPkDaAjAvMn1/i315T5BIt+t+ZtjjJY6edlLEtm23uj+Ms2C
6EZb4mH47IUpDVcae0S2USIcHJPhLmI03AZOd5JuJorPj4DOHwLvw69j8ZUGQn3g
6nATVrpUfj5BDiKoGhnXszpb+9XUxPbJjI5IQbt9Q6u47/z+v7y0Bu3qF3YjkQID
AQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsFAAOCAQEASf1rttgF
2UFwfcuH/w0l9fZLFxQK7oszARHXIPFKN2t0asLb6+4FSj65ACYns+vuUYB77A1S
CPGMk9Zx7yAVmyKLBJNoqbZpCXRETebOhtyqr+lqKSSX6XQxLL3fZ5raRA5lO0x7
BHgVtf1bkNg0QQEvMMLR7MPoRW3rBYrRU2jjnpRnL8HRe6Hh32LlIE5j4TJ/JFIb
fkAS0rRwnmzL19mw8i5WFFbFbgwQ6FbAGHnK5aJXzEwI4bauQLMZyBGaprAarQOE
RKdI9ODkyhpzugImm+Wioiis7n7eTMI1qX3OtHlpWGGt92yIBOLCZgjXn8ubiXB4
nL44L5P4BP/Vjw==
-----END CERTIFICATE REQUEST-----

Order ID 2: ‘https://acme-staging-v02.api.letsencrypt.org/acme/order/6557164/34753790’
CSR 2:

-----BEGIN CERTIFICATE REQUEST-----
MIIDBjCCAe4CAQAwga8xIzAhBgNVBAMMGiouMS5uZmx4c28ubmV0ZmxpeHRlc3Qu
bmV0MSUwIwYJKoZIhvcNAQkBFhZjY2FzdHJhcGVsQG5ldGZsaXguY29tMRYwFAYD
VQQKDA1OZXRmbGl4LCBJbmMuMRMwEQYDVQQLDApPcGVyYXRpb25zMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJTG9zIEdhdG9zMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA30eTVeibkmp2Mxr00AuxCdR6
I/p/2yPOWgtsAw7nAtQHDxMGYliQU4LcusZHxR+7bJTQhmaK3JcyJnxEitj04e1a
JOLaY3LlxNvFRdsDP2T/V7uACIGdhQN8cmO3CJPoOblKqjbB2ZBhYv+8aT9f2vGJ
2ciJzBHYDeq3H4ggE11EExtSclIRdFqhV1rCsEQA50FGf8dZyE8stxcDddv4trLZ
s5jZGfCqGZ89qjIU/G7UXb67l+Wcsw82WFe4YL2kEqWFw7xZSVWIZNZNtzKhSyVa
pqhdeLntTkosGuThn4V7/ickPF+EUIVdFOTeNnQ7K7GQdAS0+5bAKELtfz8Q3wID
AQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsFAAOCAQEARLOgvG7b
y2WleaweJy6ZJ2EFIFH2ataUDtpvFINcS69A9vuzW61WPViin9r6H63EjJNABMaA
1uD8ALSEd7sXeu3OB+OvTWi7bl9zu+4aWHqccvKbQrUgFKG3Pet2qTD1CzTXds97
CzfcG9c5XeimxMcsWFpLpQQhktBBRKangbLYgcwwUg+2eDI7GVYBgOA5DCLRSnyS
5zmX27S9VTz9XgZcbm3FsOhQvGjWUQLcsQXLgv6/VpOq5AWl4nrU0UNWJnTbFHou
JhNpOwgjAb74T3rMdWBYWwuMv4rkHNKHyg/JSOnmzh9cfZ7UwjCjI0AgqiPJs21X
McPLtEGlKWQhBQ==
-----END CERTIFICATE REQUEST-----

The order is valid when the certificate was already issued.

The CSR does not identify the order, the unique set of domains does.

I think that Boulder will re-use an order if there is one that is not invalid and not deactivated.

Did you create the orders at the same time?

Yes, exactly that. RFC 8555 7.1.6 describes an order changing status from "ready" to "processing" once a finalization request is received, and from "processing" to "valid" once the certificate is issued. Only "ready" orders can be finalized so after the first finalization request is received the order can't be finalized by additional concurrent requests.

That's correct.

So if they wanted to e.g. issue dual RSA and ECDSA certificates for the same domain, I guess @CertIssuer would have to finalize the first order before creating the second one.

Yup. Unfortunately you won’t be able to issue concurrently for the same set of domain names but with a different public key or CSR extensions. The two certificates would have to be processed serially.

Thank you for the detailed insight, this has helped me understand the issue quite well.

Would there be any drawbacks with considering a hash of the CSR alongside the unique set of domain names? (Meaning that separate orders for the same set of domains would get separate tokens and be validated independently from one another). I’m open to posting in the feature requests forum if that is more appropriate, but want to make sure I haven’t missed anything.

Great, glad to help!

I don't think the increase in implementation complexity is justified or would be prioritized anytime soon.

Understood, we do have a unique use case here. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.