ACME.js attempts to POST challenges repeatedly rather than GET the authorization status #9

New Issue

Open

opened 2021-04-07 11:01:17 +00:00 by sam-lord · 2 comments

sam-lord commented 2021-04-07 11:01:17 +00:00

Copy Link

Noticed that when testing Greenlock.js against the Pebble ACME server (official testing server for ACME protocol), I received the following error repeatedly:

[acme-v2] mydomain.local status:400 Cannot update challenge with status valid, only status pending

It appears as though another ACME client had the same issue: https://github.com/letsencrypt/pebble/issues/133

Works without errors when used against live / staging, but the speed of localhost demonstrates the issue. The issue above explains the correct flow for these requests to avoid errors.

--

BTW, relative novice here w.r.t ACME & Greenlock

Noticed that when testing Greenlock.js against the Pebble ACME server (official testing server for ACME protocol), I received the following error repeatedly: >[acme-v2] mydomain.local status:400 Cannot update challenge with status valid, only status pending It appears as though another ACME client had the same issue: https://github.com/letsencrypt/pebble/issues/133 Works without errors when used against live / staging, but the speed of localhost demonstrates the issue. The issue above explains the correct flow for these requests to avoid errors. -- BTW, relative novice here w.r.t ACME & Greenlock

sam-lord commented 2021-04-08 11:23:46 +00:00

Author

Copy Link

Seems like this issue can be solved in ACME._postChallenge in the checkResult function by adding 'pending' to the possible states that result in pollStatus getting called. I'll submit a patch for this soon.

Subsequent error is that the finalize URL is called twice - if the ACME server validates the challenge in the initial call then any further calls will error with a 403 because you can't finalize an already valid certificate. Trying to determine whether there's a POST-as-GET alternative for ACME._pollOrderStatus - looking at other implementations

Seems like this issue can be solved in `ACME._postChallenge` in the `checkResult` function by adding 'pending' to the possible states that result in `pollStatus` getting called. I'll submit a patch for this soon. Subsequent error is that the finalize URL is called twice - if the ACME server validates the challenge in the initial call then any further calls will error with a 403 because you can't finalize an already valid certificate. Trying to determine whether there's a POST-as-GET alternative for `ACME._pollOrderStatus` - looking at other implementations

sam-lord commented 2021-04-08 11:51:11 +00:00

Author

Copy Link

SO ACME._pollOrderStatus should use the same GET on order._orderUrl as was used in ACME._postChallenge. I've made a patch for this locally and it works great.

I'll tidy it up a bit and create a PR.

SO `ACME._pollOrderStatus` should use the same GET on `order._orderUrl` as was used in `ACME._postChallenge`. I've made a patch for this locally and it works great. I'll tidy it up a bit and create a PR.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

bugfix-accept-pem

v3

v1

wip-v3

browser-v2

errors

v2

skip-valid-challenge

v3.1.1

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.2

v3.0.1

v1.8.6

v1.8.5

v1.8.4

v1.8.2

v1.8.1

v1.8.0

v1.7.7

v1.7.6

v1.7.5

v1.7.3

v1.7.2

v1.7.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.3.1

v1.3.0

v1.2.1

v1.2.0

v1.1.1

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v0.6.2

v0.6.1

v0.6.0

v0.0.2

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: root/acme.js#9

No description provided.