"The challenge is not pending" error results in an abnormal exit


#1

in an attempt to renew a client certificates with many SAN, some of them have problems and results in “The challenge is not pending” error which never expires.

2 issues here :

  • what is this error and why is it happenning ?
  • when this error occured with --allow-subsets-of-names, the certificat is asked for renew with hosts on error removed HOWEVER challenge response still show those errors. Certbot then logs error “Exiting abnormally” and never exists.

My domain is: minodien.sexy.easyzmenek.com

I ran this command: /usr/local/certbot/certbot-auto --standalone --http-01-port 1402 --preferred-challenges http -n renew --renew-hook /renew-hook.sh --force-renewal --cert-name minodien.sexy.easyzmenek.com

It produced this output:

2018-03-13 09:17:06,907:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Kj462l4uiFMf3zDdiVl0BrgxfBWEsMelgtdELuifESg/3800103023:
{
“protected”: “eyJub25jZSI6ICJ4X2FsQ0paY1FkOU9INE1aZ25kN1V5N3NtMlBzalBXM1dsYlN1akNUSUIwIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAic2tqMDJySndDcVdvV21SWW42WDlBTzhQZDFOVGpic0FGR25waklaTVJoYjBjZzhQMXJnWlVZelNOclBnYmhCa2R4bjZWWU1FMVlrTnVLN1ZxelBpR2VqTWZScmNQN044d0dobkVXSGlpUW9md0FETGg0a09mTThRRWU1d1RBTHpNVlExQ1hqY2NaeVBoa2FMaDk0V2NrUi1lV1gxWHBDMTdBWU9sczE0NUxwd1JSM1U1LTIyTVRLY2NSTVBaanNzeldUMXU3T1VNeDNMcUdCTk1nWFh1dXQ5SUlCaWgzUHV0SU04X1NRbHloZHJ0ay1nQjFxVVNObmNOaDA0TmtCRWNaMjdnOWxId2lJUmlFd3dxT2pKZWdicU9xZno2X1FRUzhYdmpuMnZQM0h1QWFuTDVqeDNuR0NYU2RnSlBQWEVIQ3BtYUFEUW9ibVRZSTBHWlRUUlpRIn19”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIjNQR2lrRlhTOWhKX1ZNVnphNnlCR1lHcmtDWjRxdnppX3RUZmI2bVQwS0kuN1lZdjJLVm8wWWxyWFl6S0hlRHRHS0lDTVFuSWM0Umk2emJORjFQVVRpTSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “XNSjbq9INtzQy5SLfrRtyw3y6vZ_2lNNLZ5D5MddHaHxhM1dWwn524Y33NkCHNu7X4iINkPOfoDq4sCTY88ldMEeAptQ7_NErbs630VZ6u1kyKKgizoEWEMN7a-73nUU6cwS7RMkcIGn32mjO8x-_lYlS11pXpGMevaFpZ6EEyyUBTSU7v9qMHeADdeMjadNGj8PXn2m-43jlrKAIlCmxHrefUzMF0QClDHQjCcYduGH17d4q9FtpD9NwX5Zp-FofpoWZy2F1QaRngjItK20_uGO7mZzWOjJ_2qN8VMaDBuTBqus3eElE5u6BJjXTb9gZdu6Z_0yLZvF-UZmwhjcBA”
}
2018-03-13 09:17:07,384:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/Kj462l4uiFMf3zDdiVl0BrgxfBWEsMelgtdELuifESg/3800103023 HTTP/1.1” 400 132
2018-03-13 09:17:07,385:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Requester: 13948881
Replay-Nonce: p1fCIbijXNdK12TuXEnLHH6NVSCTNqAaAA4i2ZH7ZQM
Expires: Tue, 13 Mar 2018 09:17:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 13 Mar 2018 09:17:07 GMT
Connection: close

{
“type”: “urn:acme:error:malformed”,
“detail”: “Unable to update challenge :: The challenge is not pending.”,
“status”: 400
}
2018-03-13 09:17:07,386:DEBUG:acme.client:Storing nonce: p1fCIbijXNdK12TuXEnLHH6NVSCTNqAaAA4i2ZH7ZQM
2018-03-13 09:17:07,386:WARNING:certbot.renewal:Attempting to renew cert (minodien.sexy.easyzmenek.com) from /etc/letsencrypt/renewal/minodien.sexy.easyzmenek.com.conf produced an unexpected error: urn:acme:error:malformed :: The request message was malformed :: Unable to update challenge :: The challenge is not pending… Skipping.
2018-03-13 09:17:07,388:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1102, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 313, in obtain_certificate
return self.obtain_certificate(successful_domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 299, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 335, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(resp, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 153, in _respond
active_achalls = self._send_responses(resp, chall_update)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 179, in _send_responses
self.acme.answer_challenge(achall.challb, resp)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 153, in answer_challenge
response = self._post(challb.uri, response)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 90, in _post
return self.net.post(*args, **kwargs)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 1069, in post
return self._post_once(*args, **kwargs)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 1083, in _post_once
return self._check_response(response, content_type=content_type)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 943, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Unable to update challenge :: The challenge is not pending.

2018-03-13 09:17:07,388:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-03-13 09:17:07,388:ERROR:certbot.renewal: /etc/letsencrypt/live/minodien.sexy.easyzmenek.com/fullchain.pem (failure)
2018-03-13 09:17:07,388:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version): standalone, proxyfied from NGiNX 1.10

The operating system my web server runs on is (include version): Debian stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

I’m getting the exact same error. I also run very large SAN certs with the following options:
certbot-auto certonly --expand -n --no-hsts --no-redirect --no-uir --allow-subset-of-names --webroot -w /usr/share/nginx/html

2018-03-15 17:00:10,119:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1157, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 308, in obtain_certificate
return self.obtain_certificate(successful_domains)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(resp, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 153, in _respond
active_achalls = self._send_responses(resp, chall_update)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 179, in _send_responses
self.acme.answer_challenge(achall.challb, resp)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/acme/client.py”, line 153, in answer_challenge
response = self._post(challb.uri, response)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/acme/client.py”, line 90, in _post
return self.net.post(*args, **kwargs)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/acme/client.py”, line 1069, in post
return self._post_once(*args, **kwargs)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/acme/client.py”, line 1083, in _post_once
return self._check_response(response, content_type=content_type)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/acme/client.py”, line 943, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:acme:error:malformed :: The request message was malformed :: Unable to update challenge :: The challenge is not pending.
2018-03-15 17:00:10,138:ERROR:certbot.log:An unexpected error occurred:
2018-03-15 17:00:10,138:ERROR:certbot.log:The request message was malformed :: Unable to update challenge :: The challenge is not pending.


#3

@schoen is this an issue from LE?

Believe I’ve seen them before.


#4

It does sound like it could be a Let’s Encrypt bug where the challenge lifetime is timing out on too aggressive a schedule for large certificates. @jsha, have you encountered this phenomenon before? Could you explain the method used to calculate how long a challenge is considered pending?


#5

@schoen I also experience this issue since several days. On the system nothing has changed except the LE client (certbot) on March 8th. Really an issue as this now blocks a number of other scripts.


#6

certbot has updated today. issue didn’t re-occur yet.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.