search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 184 forks source link

ACME Challenge remains in a pending state. #90

Open dynamite-ready opened 8 years ago

dynamite-ready commented 8 years ago

Following the quickstart instructions here - https://github.com/ebekker/ACMESharp/wiki/Quick-Start - I managed to get to Step 6b of the manual http authentication process, but when I check the status of the request with the Update-ACMEIdentifier dns1 -ChallengeType http-01 command, the challenge request remains in a pending state:

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : www.example.com
Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/#myhash
Status         : pending
Expires        : 16/02/2016 00:00:00
Challenges     : {manual, , }
Combinations   : {1, 0, 2}

I've been checking on the status every 10 minutes for the past hour, but it's still pending. The quickstart instructions suggest that the process should take between a few seconds, and a few minutes.

Is this an ACME server issue, or an uninformative error response?

I've also raised this query as a SO question - http://stackoverflow.com/questions/35302044/letsencrypt-acmesharp-client-challenge-in-pending-state-for-over-an-hour - and in the client section of the LetEncrypt community forum - https://community.letsencrypt.org/t/letsencrypt-acmesharp-client-challenge-in-pending-state-for-over-an-hour/10579

bseddon commented 8 years ago

The challenge you have requested is probably not in a pending but the first one is. You will see there are three possible challenges (dns, tns and http). If you output the individual challenges you will probably see the the http challenge has been validated. Try:

(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges

To list the details of all three challenges including the individual statuses. The one you have used, http-01, may be shown as valid.

bseddon commented 8 years ago

By the way, you can visit the uri (https://acme-v01.api.letsencrypt.org/acme/authz/#myhash) in your example, to see the status as the Let's Encrypt servers have it. You will see the uri displays some data in a JSON format. Look for "type":"http-01" in the displayed text and the status will be shown next to it.

dynamite-ready commented 8 years ago

That's immensely helpful! Thank you.

mafacz commented 8 years ago

I had the same issue, that it staid in pending state when running the Update-ACMEIdentifier dns1 -ChallengeType http-01 command. Only with the url I was able to see the status of the challange. If this is intended functionality, then I suggest to change the description in step 6b.

bseddon commented 8 years ago

Yes, it will be helpful to users to learn they need to execute a command like this to see the state of the http-01 challenge:

(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}

Maybe by leaving this command here it will help someone in the meantime.

sysadmiral commented 8 years ago

I've updated the wiki to include this update so that it is clearer for users.

@ebekker - Is this ok - https://github.com/ebekker/ACMESharp/wiki/Quick-Start/0f3da4f01a002fc0ff28c907c23813f8de02ea4b

ebekker commented 8 years ago

There seems to be still some issue with updating the overall status of the Identifier Challenge versus the individual Challenge Types. I thought I had addressed this issue already (#72), but seemingly not.

The idea is that an ACME server may require that more than one Challenge is satisfied, for example, both DNS and HTTP, in order to prove domain ownership, and that's why there is a distinction between the status of the individual status, and an overall status. However, with LE, they currently only require any one of their supported types to be satisfied, so for the time being that kludge should be OK, but I'll have to get to the bottom of the real problem.