What’s creating Pending Authorizations?

Help
14

Certbot’s actual behavior is it will never deactivate authorizations.

We could maybe change this and have Certbot deactivate authorizations if it encounters an error between obtaining the authorizations from the CA and sending the challenge responses, but that adds a fair bit of complexity client side, may defeat the benefits of Automatic recycling of pending authorizations server side, and to be honest, is something the core Certbot team wouldn’t have time to implement for quite a while.

Regardless of that, to try and give you some info to help you work around the problem in the meantime, I’ll summarize and add to some of the above info and say:

  1. The webroot issue only occurs if you’re issuing a certificate for a domain that still has a valid authorization. Let’s Encrypt’s authorizations have a 30 day lifetime while its certificates are valid for 90 days so to hit this webroot issue, you’re issuing another certificate for a domain well before its expiration. This could be due to setting --force-renewal or --renew-by-default on the command line or global configuration file or by having multiple certificate lineages (separate directories in /etc/letsencrypt/live) containing the same domain. Unsetting a command line flag is simple enough, but if its the latter problem and you don’t need certificates like that, I recommend running a command like certbot certificates to look for duplicates and then running certbot delete --cert-name <cert name> where <cert name> is given to you by the certbot certificates command.
  2. Certbot will only leak pending authorizations if it crashes during the window I described above. It crashing at this time could be due to the webroot issue or your scripts killing Certbot. If I were you, once you have the current pending authorization problem solved (either through your own scripts or waiting a week), I’d run certbot renew ... once and look through the log for messages like Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error and fix up the problems that occurred.

I hope that helps!

1 Like