On 2025/03/12 12:00, Stuart Henderson wrote: > Sorry I don't have a diff for this. > > I just had a renewal on letsencrypt staging fail; status went from > PENDING->READY->PROCESSING when acme-client netproc was expecting only > INVALID/VALID/PENDING/READY.
Bit this again today. > From https://www.rfc-editor.org/rfc/rfc8555#page-48 > > o "processing": The certificate is being issued. Send a POST-as-GET > request after the time given in the Retry-After header field of > the response, if any. > > Ordering again worked. Presumably, with current lifetimes, daily > cronjobs are likely to result in a working order before expiry - so it's > not urgent at the moment - but with the trajectory of reduced lifetimes > I think it will become more important to handle in a single run of > acme-client. > > I suspect we see this a) when CA issuance is running slowly or b) if > there's a CA bug where it doesn't move to INVALID correctly (there are > reports in the past of orders getting stuck on PROCESSING) so actually > reproducing on an internet CA is likely to be awkward, but also it would > seem prudent to cap any retries either by number of attempts or overall > time. > > Redacted -vv output: > > acme-client: /etc/ssl/private/(domain).key: loaded domain key > acme-client: /etc/acme/letsencrypt-staging-privkey.pem: loaded account key > acme-client: /etc/ssl/(domain).crt: certificate renewable: 29 days left > acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: > directories > acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 172.65.46.172 > acme-client: acme-staging-v02.api.letsencrypt.org: DNS: > 2606:4700:60:0:f41b:d4fe:4325:6026 > acme-client: transfer buffer: [{ > "Np6Hc1INlmg": > "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";, > "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change";, > "meta": { > "caaIdentities": [ > "letsencrypt.org" > ], > "profiles": { > "classic": "https://letsencrypt.org/docs/profiles#classic";, > "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not > yet generally available)", > "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet > generally available)" > }, > "termsOfService": > "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf";, > "website": "https://letsencrypt.org/docs/staging-environment/"; > }, > "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct";, > "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce";, > "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order";, > "renewalInfo": > "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo";, > "revokeCert": > "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"; > }] (1116 bytes) > acme-client: account key: > https://acme-staging-v02.api.letsencrypt.org/acme/acct/(acct) > acme-client: transfer buffer: [{ > "key": { > "kty": "RSA", > "n": "(redacted)", > "e": "(redacted)" > }, > "createdAt": "2020-02-04T11:54:20Z", > "status": "valid" > }] (808 bytes) > acme-client: transfer buffer: [{ > "status": "pending", > "expires": "2025-03-19T11:08:03Z", > "identifiers": [ > { > "type": "dns", > "value": "(domain)" > } > ], > "authorizations": [ > "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" > ], > "finalize": > "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" > }] (364 bytes) > acme-client: dochngreq: > https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth) > acme-client: transfer buffer: [{ > "identifier": { > "type": "dns", > "value": "(domain)" > }, > "status": "pending", > "expires": "2025-03-19T11:08:03Z", > "challenges": [ > { > "type": "http-01", > "url": > "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", > "status": "pending", > "token": "(token)" > }, > { > "type": "tls-alpn-01", > "url": > "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", > "status": "pending", > "token": "(token)" > }, > { > "type": "dns-01", > "url": > "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", > "status": "pending", > "token": "(token)" > } > ] > }] (843 bytes) > acme-client: challenge, token: (token), uri: > https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted), > status: 0 > acme-client: /var/www/letsencrypt/.well-known/acme-challenge/(token): created > acme-client: > https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted): > challenge > acme-client: transfer buffer: [{ > "type": "http-01", > "url": > "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", > "status": "pending", > "token": "(token)" > }] (200 bytes) > acme-client: transfer buffer: [{ > "status": "pending", > "expires": "2025-03-19T11:08:03Z", > "identifiers": [ > { > "type": "dns", > "value": "(domain)" > } > ], > "authorizations": [ > "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" > ], > "finalize": > "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" > }] (364 bytes) > acme-client: order.status 0 > acme-client: dochngreq: > https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth) > acme-client: transfer buffer: [{ > "identifier": { > "type": "dns", > "value": "(domain)" > }, > "status": "valid", > "expires": "2025-04-11T11:08:06Z", > "challenges": [ > { > "type": "http-01", > "url": > "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", > "status": "valid", > "validated": "2025-03-12T11:08:05Z", > "token": "(token)", > "validationRecord": [ > { > "url": "http://(domain)/.well-known/acme-challenge/(token)", > "hostname": "(domain)", > "port": "80", > "addressesResolved": [ > "(ip)" > ], > "addressUsed": "(ip)" > } > ] > } > ] > }] (786 bytes) > acme-client: challenge, token: (token), uri: > https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted), > status: 2 > acme-client: transfer buffer: [{ > "status": "ready", > "expires": "2025-03-19T11:08:03Z", > "identifiers": [ > { > "type": "dns", > "value": "(domain)" > } > ], > "authorizations": [ > "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" > ], > "finalize": > "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" > }] (362 bytes) > acme-client: order.status 1 > acme-client: > https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final): > certificate > acme-client: transfer buffer: [{ > "status": "processing", > "expires": "2025-03-19T11:08:03Z", > "identifiers": [ > { > "type": "dns", > "value": "(domain)" > } > ], > "authorizations": [ > "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" > ], > "finalize": > "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" > }] (367 bytes) > acme-client: transfer buffer: [{ > "status": "processing", > "expires": "2025-03-19T11:08:03Z", > "identifiers": [ > { > "type": "dns", > "value": "(domain)" > } > ], > "authorizations": [ > "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" > ], > "finalize": > "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" > }] (367 bytes) > acme-client: order.status 2 > acme-client: unhandled status: 2 > acme-client: bad exit: netproc(18700): 1 >
