Staging v2: order stuck in "pending" state even if authorization is "valid"

Hi there all, and thanks for the great job.

I’m trying to implement a custom client for Let’s Encrypt, but I think I’m missing something about the validation process.

I have setup the order, e.g. this one: https://acme-staging-v02.api.letsencrypt.org/acme/order/5941154/791283
It contains a single DNS authorization, which in turn contains a single dns-01 challenge.
I configured my DNS appropriately, and both the challenge and the authorization are now “valid” as it can be seen here: https://acme-staging-v02.api.letsencrypt.org/acme/authz/QSXDPHPYm1eTKMSBpfJ-sWVoqkLxhghvIDf8LDVVbK8

But still the order is “pending”. :thinking:

As far as I understand, it should be “ready”, in order to call the “finalize”, as documented here: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html

What am I missing?

Hi @acasio,

Thanks for the question!

Please see the "Specification Divergences" section of our ACME v2 announcement post:

The “ready” state on order objects is not implemented. Orders remain “pending” when associated authorizations are all valid and finalization may occur. Client developers should check the authorization statuses to determine if the order is ready.

You should POST the finalization URL when the authorizations are all valid, even if the order remains "pending".

We've added the ready state to Boulder but haven't deployed the change yet as it breaks some popular ACME clients (notably Certbot).

1 Like

Ah, that’s it! My bad, I totally missed that part…

Thank you so much for the very helpful answer.
So, if I want to stay compatible with the current behaviour and future one, I may do something like:

if status==‘ready’ or (status==‘pending’ and all_authorizations_are_valid()):
finalize()

Correct?

1 Like

Happy to help!

Yup, that would work :slight_smile:

After this Pebble PR is merged you can test your client with an ACME server that returns the new "ready" status by using Pebble.

The Let's Encrypt V2 staging/prod endpoints won't have the "ready" status for a little while (keep an eye on the API announcements section to learn when that will change).

If you're running Boulder locally to test your client you can enable the "ready" status by changing the docker-compose.yml file to set BOULDER_CONFIG_DIR to test/config-next and enabling the OrderReadyStatus feature flag in config-next/sa.json: https://github.com/letsencrypt/boulder/blob/2a1cd4981a8eb3bf3137af47554e4df19c90bd8c/test/config-next/sa.json#L33

Hope that helps!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.