I’m implementing ACME v2 in the Let’s Encrypt script for the Hiawatha webserver (as mentioned in the PHP section of the client-list page at this website). According to section 7.1 of the ACME RFC, I have to finalize the order before polling for the status. However, if I do that, the server keeps saying that the status is ‘processing’. If I poll for the status, wait for a ‘final’ and then finalize the order, I’m able to download a new certificate successfully. What am I doing wrong?
Other issue: once the status is set to ‘processing’, I have no idea what to do next. What must I do to make the server finish the certificate?
The code relevant to this issue is in ACMv2/libraries/letsencrypt.php. The polling is done at line 236, finalizing the order at line 255. Swap those blocks to reproduce the issue.
Can you show a link to an order stuck on processing?
o "processing": The server agrees that the requirements have been
fulfilled, and is in the process of generating the certificate.
Retry after the time given in the "Retry-After" header field of
the response, if any.
I tried it again this afternoon with the order as described in the RFC (finalize first, then poll for status) and guess what, it worked. I find the test server quite unreliable. Sometimes things work, sometimes they don’t. When things don’t work, I try it again next morning without changing any code and then it works. This makes debugging my own code very hard.
I did some testing again. 3 orders were handled ok, but the last I tried failed. No idea why, I didn’t change any code. The order of the steps I followed is as described in the RFC.
I had another strange thing. I did some more testing. For several websites, I could obtain a certificate. For one, the status was still ‘processing’. I removed my account key, created a new one and registered a new account. From then on, every certificate request failed. Even for the ones that worked fine with my previous account key. I changed my code to where it first does the status polling before finalizing. Now, every certificate request results in a certificate, even for that website that previously had a ‘processing’ state.
Can you please open a Boulder issue with a log showing the ACME messages sent/received during the case where every certificate status fails, and in the case where you've made the described polling change and can issue successfully? I'm not sure I understand what's going on and it would be much easier to debug with some logs Thank you.
Were you previously finalizing the order before the authorizations were all valid? That would also create the condition in #3403 that isn't being handled correctly where an unauthorized error is returned for the finalization but the state remains processing.
Thank you.