Stuck pending while trying to

Infro · May 30, 2025, 7:38pm

My domain is:
infro.trade
Doing wildcard certificate request for *.infro.trade and *.winwinhelp.org
I setup a CNAME which nslookup results in:
_acme-challenge.winwinhelp.org canonical name = _acme-challenge.infro.trade

I ran this command:
Custom python script for dns-01

It produced this output:
Doing any of the challenge urls always results in status pending even though I have the TXT record with the response.

{'identifier': {'type': 'dns', 'value': 'infro.trade'},
  'status': 'pending',
  'expires': '2025-06-06T17:48:34Z',
  'challenges': [{'type': 'dns-01',
    'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2176.../5282.../EHjA...',
    'status': 'pending',
    'token': 'pgRW....'}],
  'wildcard': True}

Two separate methods to generate the TXT record were used and come back with the same results.
Verification script I ran to ensure I was generating the correct TXT record (I've tried both quoted and unquoted TXT records)

Running the below python script resulted in the reported token length of 43 and the challenge response of uWsKsHpO7hzjOY2nIZD2PStLQoooGJtjkyvlBc7B1Hs

from acme.challenges import DNS01
import josepy
import cryptography.hazmat.primitives.serialization as serialization
with open('account.key', 'rb') as f:
    key = serialization.load_pem_private_key(f.read(), None)
token=josepy.decode_b64jose('pgRW....')
print(len('pgRW....'))
msg = DNS01(token=token)
key = josepy.JWKRSA(key = key)
print(msg.validation(key))

If I try and finalize I obviously get an error {'type': 'urn:ietf:params:acme:error:orderNotReady', 'detail': 'Order\'s status ("pending") is not acceptable for finalization', 'status': 403}

I last ran this notebook in January with the following results:

[{'url': 'https://acme-v02.api.letsencrypt.org/acme/order/2176....35/3454....',
  'result': {'status': 'valid',
   'expires': '2025-01-25T04:23:58Z',
   'identifiers': [{'type': 'dns', 'value': '*.infro.trade'},
    {'type': 'dns', 'value': '*.winwinhelp.org'},
    {'type': 'dns', 'value': 'infro.trade'},
    {'type': 'dns', 'value': 'winwinhelp.org'}],
   'authorizations': ['https://acme-v02.api.letsencrypt.org/acme/authz/2176....5/4623....35',
    'https://acme-v02.api.letsencrypt.org/acme/authz/2176....5/4623....45',
    'https://acme-v02.api.letsencrypt.org/acme/authz/2176....5/4623....55',
    'https://acme-v02.api.letsencrypt.org/acme/authz/2176....5/4623....65'],
   'finalize': 'https://acme-v02.api.letsencrypt.org/acme/finalize/2176..../3454....',
   'certificate': 'https://acme-v02.api.letsencrypt.org/acme/cert/03a5....'}}]

Any other information that needs to be provided?

jvanasco · May 30, 2025, 7:42pm

This indicates you have not triggered a validation attempt for the challenge.

When the validation attempt is triggered, the pending state of the challenge will transition to processing.

See RFC 8555 - Automatic Certificate Management Environment (ACME) Section 7.1.6 Status Changes

Infro · May 30, 2025, 8:16pm

Thank you, that let me figure out I needed to send a payload of {} rather than an empty payload...

jvanasco · May 30, 2025, 8:29pm

That is a very common mistake! I have gotten tripped up by that too.

{} will trigger the validation attempt.
An empty payload will poll the endpoint for a status change.

Topic		Replies	Views
Dns-01 challenge in pending state Help	2	489	May 22, 2022
DNS-01 pending state stuck Help	4	1368	July 28, 2021
Stuck at "Pending" when using DNS challenge Help	11	5896	September 22, 2016
DNS Challenge is "pending" 2 days Help	16	5155	January 5, 2020
DNS verification fails - stuck in "pending" Help	2	1454	April 28, 2017

Stuck pending while trying to

Related topics