Stuck in bad pending/processing state?


#1

How to solve it

[acme-v2] handled(?) rejection as errback:
Error: [acme-v2] stuck in bad pending/processing state
at pollStatus (/root/node_modules/acme-v2/node.js:327:31)
at

Error loading/registering certificate for ‘vcl.domainName.ac.kr’:
Error: [acme-v2] stuck in bad pending/processing state
at pollStatus (/root/node_modules/acme-v2/node.js:327:31)
at
[acme-v2] (E_STATE_INVALID) challenge state: ‘invalid’
[acme-v2] handled(?) rejection as errback:
Error: [acme-v2] [error] unacceptable challenge state ‘invalid’
at /root/node_modules/acme-v2/node.js:374:31
at
at process._tickCallback (internal/process/next_tick.js:160:7)
Error loading/registering certificate for ‘vcl.domainName.ac.kr’:
Error: [acme-v2] [error] unacceptable challenge state ‘invalid’
at /root/node_modules/acme-v2/node.js:374:31
at
at process._tickCallback (internal/process/next_tick.js:160:7)

'use strict';
var greenlock = require('greenlock'),
ssl = greenlock.create({
	version			: 'draft-12',
	server			: 'https://acme-staging-v02.api.letsencrypt.org/directory', 
	challengeType	: 'http-01',
	email			: myMail,
	challenges		: { 'http-01' : require('le-challenge-fs').create({ webrootPath : __dirname+'/letsencrypt/var/lib/acme-challenges' }) },
	store			: require('le-store-certbot').create({ webrootPath : __dirname+'/letsencrypt/var/lib/acme-challenges' }),
	agreeTos		: true,
	approveDomains	: (opts, certs, cb) => {
		if(opts.domain ==='vcl.domainName.ac.kr'){
			opts.email = mail;
			opts.agreeTos = true;
			cb(null, { options: opts, certs: certs });
			return;
		}
	}
});

http.createServer(ssl.middleware((req, res) => {
	ssl.check({ domains : [ 'vcl.domainName.ac.kr' ] }).then( res => {
		if(res) return;
		ssl.register({
			domains		: [ 'vcl.domainName.ac.kr' ],
			email		: myMail,
			agreeTos	: true,
			rsaKeySize	: 2048,
			challengeType : 'http-01'
		})
	});
	res.writeHead(302, {
		'cache-control'	 : 'public, max-age=31536000',
		'Location' : 'https://'+req.headers.host+req.url
	});
	return res.end();
})).listen(80);

#2

I’m uncertain about the error shown but you seem to have valid certs already issued (some only a few weeks ago):


#3

They are certificates from other servers.

I want to get a certificate for the vcl.domainName.ac.kr subdomain

20181203_054249


#4

Based on my reading of the acme-v2.js library used by Greenlock, it just looks like the authorization failed.

This could happen for a variety of reasons.

If you want to see what the actual reason was, you need to print out the order URL or authz URL and then look at it to see what the CA said.

For example https://acme-staging-v02.api.letsencrypt.org/acme/authz/mRFEp0iaITpXhkrdM4qKjW-AxV8uqKDgr7t8ClqsCuU , but from your actual executions.


#5

https://acme-staging-v02.api.letsencrypt.org/acme/authz/Fc7jvFdJw6T2lI2hxS2OCI0fxZqrzgNSM29B9lU5Ab8

Timeout after connect (your server may be slow or overloaded)
why?

but…

http-01 type
detail URL response

image


#6

Hi @seuai

I see only timeouts ( https://check-your-website.server-daten.de/?q=vcl.kunsan.ac.kr ):


Domainname Http-Status redirect Sec. G
http://vcl.kunsan.ac.kr/
202.31.147.139 302 https://vcl.kunsan.ac.kr/ 0.610 A
https://vcl.kunsan.ac.kr/
202.31.147.139 -14 10.023 T
Timeout - The operation has timed out
http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
202.31.147.139 -14 10.024 T
Timeout - The operation has timed out

Perhaps you use a local connection behind your firewall.


#7

The page is not redirected to ssl.middleware. What would be the solution?

Also, how to remove 302 redirection cache from server of acme-02


#8

Letsencrypt doesn’t cache the redirects. But the redirect start-page http -> https isn’t the problem. Letsencrypt doesn’t check the start page, follows redirects and ignores certificate errors.

But this Timeout

http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

is a problem. Your server should answer. And if the file is unknown, with a http status 404, not with a timeout.


#9


.
.
.

/node_modules/greenlock/lib/middleware.js

‘err’ <- text not log

??


#10

I don’t know what this Greenlock does.

But the answers of your site are terrible. Tested online - 300 seconds timeout. This should be impossible because I have defined a global timeout of 10 seconds.

Tested local - a redirect to /MFD, then a redirect to /, then a redirect to /.

Is there a Bot detection software which is wrong? Or a firewall with curious tests?


#11

This was caused by a server cache bug and redirect problem was resolved, but the certificate is still not issued normally

https://acme-staging-v02.api.letsencrypt.org/acme/authz/zp3oFqfC_IX7WmRtv_qzrLo72mrrZcaJ68J0fhKna3c


#12

You need to create a new order for this set of identifers. Once an order is status “invalid” because an associated authorization had an invalid challenge it is effectively immutable. You need to start over with a new order.


#13

Your server is buggy. Yesterday I looked deeper why your server created a 300 second - timeout.

Then I found an option of my HttpWebRequest: ReadWriteTimeout with a standard value of 300 seconds.

Changed that to 10 seconds -> to test your site needs only ~~30 - 40 seconds, 3 timeouts with 10 seconds.

You must remove or change this bot detection software which blocks connections.


#14

@cpu
@JuergenAuer

After initializing the server os, I installed Apache and tried this again, but the same problem occurs


#15

Check your site with a browser:

http://vcl.kunsan.ac.kr/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

After a long time:

SmartFilterMessage

If this isn’t your server, it’s your provider who blocks the access.

Source code of this page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=http://www.nasol.co.kr/ -->
<HTML lang=ja><HEAD><TITLE>SmartXFilter Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<META http-equiv=Content-Style-Type content=text/css>
<META http-equiv=Content-Script-Type content=text/javascript>
<META content=noindex,nofollow name=robots>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Cache-Control content=no-cache>
<META http-equiv=Expires content=0>
<STYLE type=text/css>BODY {
	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 20px 0px 0px; PADDING-TOP: 0px
}
TD {
	FONT-SIZE: 80%; COLOR: #666666
}
TD H2 {
	FONT-WEIGHT: bold; FONT-SIZE: 120%; MARGIN: 0.3em 0px 0px; COLOR: #666666
}
.head {
	BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; FONT-SIZE: 14px; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; WHITE-SPACE: nowrap; BACKGROUND-COLOR: #ffffcc
}
.border {
	BORDER-RIGHT: #339966 3px outset; PADDING-RIGHT: 0px; BORDER-TOP: #339966 3px outset; PADDING-LEFT: 0px; BACKGROUND: #ffffff; PADDING-BOTTOM: 0px; MARGIN: 0px; BORDER-LEFT: #339966 3px outset; PADDING-TOP: 0px; BORDER-BOTTOM: #339966 3px outset
}
IMG {
	MARGIN: 3px 0px 0px
}
</STYLE>

</HEAD>
<BODY>
<DIV align=center>
<TABLE class=border cellSpacing=8 cellPadding=5 width=520 summary=message border=0>
  <TBODY>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
  <TR>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
  <TR>
    <TD></TD></TR>
    <TD align=center>
            <H2>Sorry</H2>
    </TD></TR>
  <TR>
    <TD align=middle>&nbsp</TD></TR>
  <TR>
    <TD align=middle>&nbsp</TD></TR></TBODY></TABLE></DIV></BODY></HTML>

<br clear="all">
</BODY></HTML>



#16

Hi, @JuergenAuer

I’m this server’s administrator and received this link from @seuai
I know this problem has occurred timeout during the domain cert process.

SmartFilterMessage is sent through ISP’s Firewall Server but another servers successed this cert process.
ISP’s Firewall Server detects in/outbound packet.
This detection also applies to same subnet.
but… We didn’t see this page…

I see below picture.
it’s same screen another subnet, mobile, vpn.

SmartFilterMessage that above picture is occurred many connection like DDoS.
It’s Firewall’s Miss.

I report SmartFilter’s problem to ISP.


#17

Thanks. You see the correct content, no timeout.

But the curious thing: It happens with the first try.

The server sends an answer, but doesn’t complete it. So yesterday / earlier my online tool ( https://check-your-website.server-daten.de/?q=vcl.kunsan.ac.kr ) reported a 300 seconds timeout.

So I added a ReadWriteTimeout, now my query stops after 10 seconds.


#18

Thanks. It’s perfect site!!

But I think, your web code is filtered ISP’s Firewall because your packet is not logged vcl server.
I will also report this situation to ISP administrators.

Can I think that the connection of your code is the same as that of Let’sEncrypt?


#19

Yes, it happens even from a simple wget or curl request (on the first try).

The “SmartFilterMessage” needs to “go back to school” - lol


#20

For some purposes about DNS it might be a little different, but @rg305’s observation shows that it’s similar enough to diagnose your problem here.