Using sympl-ssl, getting status "not acceptable for finalization"

My domain is:
newdealstringband.com (but there are others on the same server, see below)

I ran this command:
sudo sympl-ssl --verbose newdealstringband.com

It produced this output:

* Examining certificates for newdealstringband.com
	SSL set 0: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 1: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 2: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 3: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 4: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 5: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 6: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 7: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 8: Not valid for newdealstringband.com -- certificate has expired (10)
	Current SSL set 13: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2022-01-02 00:50:57 UTC
	The current certificate expires in 26 days.
	Fetching a new certificate from LetsEncrypt.
	Requesting verification for newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified newdealstringband.com
	Requesting verification for www.newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified www.newdealstringband.com
	!! Failed: Order's status ("pending") is not acceptable for finalization

My web server is (include version):
Apache/2.4.38

The operating system my web server runs on is (include version):
Debian 10.11

My hosting provider, if applicable, is:
Bytemark

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'm not quite sure how to answer this. The documentation here SSL Configuration Reference - Sympl Wiki says, in one place, Sympl uses the ACMEv02 endpoint with Let's Encrypt — but elsewhere on the same page it says that it's possible to specify the endpoint, and says Defaults to https://acme-v01.api.letsencrypt.org/directory.

Importantly, I do not see this error on every domain on the server. Other domain names that do show this error are:

7.hogsedge.net
blazingstrings.co.uk
hogsedge.net
hogsedge.org
longhillramblers.com
pepperpaley.com

I'll be very grateful for any advice! Thank you.
Ben

1 Like

This question means to ask the version of the ACME client used, in your case sympl-ssl :wink:

Unfortunately the output of your client isn't helping very much. As far as I know, when an orders status is "pending", the client should do more stuff to make the status "ready". I'm not sure why it errors out due to this state?

Are you running the most recent version of sympl-ssl? Does sympl-ssl have an even more verbose log, as this "verbose" output is lacking important information?

3 Likes

Thanks Osiris,

I'm fairly confident that everything is bang up-to-date. I run apt-get update and apt-get upgrade regularly. Running sudo apt list --installed shows sympl-updater/buster,now 10.0.190621.0 all [installed,automatic]. The docs for sympl-updater say Installs and configures unattended-upgrades which automatically installs security updates and updates to Sympl.

The man page for sympl-ssl exists, but is blank. I've tried various combinations of switches like --verbose --verbose, -vv and so on, without any success. It looks as though I might need to ask the Sympl people, doesn't it?

Thanks again for your help,
Ben

2 Likes

Does it perhaps use a log file where more info can be found?

They might have some more insight into how sympl-ssl works, I recon. So I would try that too if I were you.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.