Stuck in bad pending/processing state?

Help
1

How to solve it

[acme-v2] handled(?) rejection as errback:
Error: [acme-v2] stuck in bad pending/processing state
at pollStatus (/root/node_modules/acme-v2/node.js:327:31)
at

Error loading/registering certificate for ‘vcl.domainName.ac.kr’:
Error: [acme-v2] stuck in bad pending/processing state
at pollStatus (/root/node_modules/acme-v2/node.js:327:31)
at
[acme-v2] (E_STATE_INVALID) challenge state: ‘invalid’
[acme-v2] handled(?) rejection as errback:
Error: [acme-v2] [error] unacceptable challenge state ‘invalid’
at /root/node_modules/acme-v2/node.js:374:31
at
at process._tickCallback (internal/process/next_tick.js:160:7)
Error loading/registering certificate for ‘vcl.domainName.ac.kr’:
Error: [acme-v2] [error] unacceptable challenge state ‘invalid’
at /root/node_modules/acme-v2/node.js:374:31
at
at process._tickCallback (internal/process/next_tick.js:160:7)

comp
comp.png730×347 61.8 KB 

'use strict';
var greenlock = require('greenlock'),
ssl = greenlock.create({
	version			: 'draft-12',
	server			: 'https://acme-staging-v02.api.letsencrypt.org/directory', 
	challengeType	: 'http-01',
	email			: myMail,
	challenges		: { 'http-01' : require('le-challenge-fs').create({ webrootPath : __dirname+'/letsencrypt/var/lib/acme-challenges' }) },
	store			: require('le-store-certbot').create({ webrootPath : __dirname+'/letsencrypt/var/lib/acme-challenges' }),
	agreeTos		: true,
	approveDomains	: (opts, certs, cb) => {
		if(opts.domain ==='vcl.domainName.ac.kr'){
			opts.email = mail;
			opts.agreeTos = true;
			cb(null, { options: opts, certs: certs });
			return;
		}
	}
});

http.createServer(ssl.middleware((req, res) => {
	ssl.check({ domains : [ 'vcl.domainName.ac.kr' ] }).then( res => {
		if(res) return;
		ssl.register({
			domains		: [ 'vcl.domainName.ac.kr' ],
			email		: myMail,
			agreeTos	: true,
			rsaKeySize	: 2048,
			challengeType : 'http-01'
		})
	});
	res.writeHead(302, {
		'cache-control'	 : 'public, max-age=31536000',
		'Location' : 'https://'+req.headers.host+req.url
	});
	return res.end();
})).listen(80);
2

I’m uncertain about the error shown but you seem to have valid certs already issued (some only a few weeks ago):

image
image.png1018×276 63.4 KB

1 Like
3

They are certificates from other servers.

I want to get a certificate for the vcl.domainName.ac.kr subdomain

20181203_054249

4

Based on my reading of the acme-v2.js library used by Greenlock, it just looks like the authorization failed.

This could happen for a variety of reasons.

If you want to see what the actual reason was, you need to print out the order URL or authz URL and then look at it to see what the CA said.

For example https://acme-staging-v02.api.letsencrypt.org/acme/authz/mRFEp0iaITpXhkrdM4qKjW-AxV8uqKDgr7t8ClqsCuU , but from your actual executions.

1 Like
5

https://acme-staging-v02.api.letsencrypt.org/acme/authz/Fc7jvFdJw6T2lI2hxS2OCI0fxZqrzgNSM29B9lU5Ab8

Timeout after connect (your server may be slow or overloaded)
why?

but…

http-01 type
detail URL response

image

6

Hi @seuai

I see only timeouts ( vcl.kunsan.ac.kr - Make your website better - DNS, redirects, mixed content, certificates ):

Domainname Http-Status redirect Sec. G
http://vcl.kunsan.ac.kr/
202.31.147.139 302 https://vcl.kunsan.ac.kr/ 0.610 A
https://vcl.kunsan.ac.kr/
202.31.147.139 -14 10.023 T
Timeout - The operation has timed out
http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
202.31.147.139 -14 10.024 T
Timeout - The operation has timed out

Perhaps you use a local connection behind your firewall.

2 Likes
7

The page is not redirected to ssl.middleware. What would be the solution?

Also, how to remove 302 redirection cache from server of acme-02

8

Letsencrypt doesn't cache the redirects. But the redirect start-page http -> https isn't the problem. Letsencrypt doesn't check the start page, follows redirects and ignores certificate errors.

But this Timeout

http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

is a problem. Your server should answer. And if the file is unknown, with a http status 404, not with a timeout.

1 Like
9

image
image.png858×382 10.7 KB

.
.
.
image
image.png766×42 2.75 KB

/node_modules/greenlock/lib/middleware.js

image
image.png962×360 11.2 KB

‘err’ <- text not log

??

10

I don't know what this Greenlock does.

But the answers of your site are terrible. Tested online - 300 seconds timeout. This should be impossible because I have defined a global timeout of 10 seconds.

Tested local - a redirect to /MFD, then a redirect to /, then a redirect to /.

Is there a Bot detection software which is wrong? Or a firewall with curious tests?

11

This was caused by a server cache bug and redirect problem was resolved, but the certificate is still not issued normally

https://acme-staging-v02.api.letsencrypt.org/acme/authz/zp3oFqfC_IX7WmRtv_qzrLo72mrrZcaJ68J0fhKna3c

12

You need to create a new order for this set of identifers. Once an order is status "invalid" because an associated authorization had an invalid challenge it is effectively immutable. You need to start over with a new order.

1 Like
13

Your server is buggy. Yesterday I looked deeper why your server created a 300 second - timeout.

Then I found an option of my HttpWebRequest: ReadWriteTimeout with a standard value of 300 seconds.

Changed that to 10 seconds -> to test your site needs only ~~30 - 40 seconds, 3 timeouts with 10 seconds.

You must remove or change this bot detection software which blocks connections.

14

@cpu
@JuergenAuer

After initializing the server os, I installed Apache and tried this again, but the same problem occurs

%EC%A0%9C%EB%AA%A9-%EC%97%86%EC%9D%8C-2
제목-없음-2.png739×488 19.1 KB

15

Check your site with a browser:

http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

After a long time:

SmartFilterMessage

kr
kr949×447 6.22 KB

If this isn't your server, it's your provider who blocks the access.

Source code of this page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=http://www.nasol.co.kr/ -->
<HTML lang=ja><HEAD><TITLE>SmartXFilter Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<META http-equiv=Content-Style-Type content=text/css>
<META http-equiv=Content-Script-Type content=text/javascript>
<META content=noindex,nofollow name=robots>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Cache-Control content=no-cache>
<META http-equiv=Expires content=0>
<STYLE type=text/css>BODY {
	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 20px 0px 0px; PADDING-TOP: 0px
}
TD {
	FONT-SIZE: 80%; COLOR: #666666
}
TD H2 {
	FONT-WEIGHT: bold; FONT-SIZE: 120%; MARGIN: 0.3em 0px 0px; COLOR: #666666
}
.head {
	BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; FONT-SIZE: 14px; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; WHITE-SPACE: nowrap; BACKGROUND-COLOR: #ffffcc
}
.border {
	BORDER-RIGHT: #339966 3px outset; PADDING-RIGHT: 0px; BORDER-TOP: #339966 3px outset; PADDING-LEFT: 0px; BACKGROUND: #ffffff; PADDING-BOTTOM: 0px; MARGIN: 0px; BORDER-LEFT: #339966 3px outset; PADDING-TOP: 0px; BORDER-BOTTOM: #339966 3px outset
}
IMG {
	MARGIN: 3px 0px 0px
}
</STYLE>

</HEAD>
<BODY>
<DIV align=center>
<TABLE class=border cellSpacing=8 cellPadding=5 width=520 summary=message border=0>
  <TBODY>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
  <TR>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
    <TD align=center>
            <H2>Sorry</H2>
    </TD></TR>
  <TR>
    <TD align=middle>&nbsp</TD></TR>
  <TR>
    <TD align=middle>&nbsp</TD></TR></TBODY></TABLE></DIV></BODY></HTML>

<br clear="all">
</BODY></HTML>
2 Likes
16

Hi, @JuergenAuer

I’m this server’s administrator and received this link from @seuai
I know this problem has occurred timeout during the domain cert process.

SmartFilterMessage is sent through ISP’s Firewall Server but another servers successed this cert process.
ISP’s Firewall Server detects in/outbound packet.
This detection also applies to same subnet.
but… We didn’t see this page…

I see below picture.
it’s same screen another subnet, mobile, vpn.

kr-capture
2018-12-04-vcl.kunsan.ac.kr-capture.PNG763×107 4.4 KB

SmartFilterMessage that above picture is occurred many connection like DDoS.
It’s Firewall’s Miss.

I report SmartFilter’s problem to ISP.

17

Thanks. You see the correct content, no timeout.

But the curious thing: It happens with the first try.

The server sends an answer, but doesn't complete it. So yesterday / earlier my online tool ( vcl.kunsan.ac.kr - Make your website better - DNS, redirects, mixed content, certificates ) reported a 300 seconds timeout.

So I added a ReadWriteTimeout, now my query stops after 10 seconds.

18

Thanks. It's perfect site!!

But I think, your web code is filtered ISP's Firewall because your packet is not logged vcl server.
I will also report this situation to ISP administrators.

Can I think that the connection of your code is the same as that of Let'sEncrypt?

19

Yes, it happens even from a simple wget or curl request (on the first try).

The "SmartFilterMessage" needs to "go back to school" - lol

20

For some purposes about DNS it might be a little different, but @rg305's observation shows that it's similar enough to diagnose your problem here.

1 Like