search

polhenarejos / acme_email

ACME Email Client for EmailReply-00 Challenge
https://acme.castle.cloud
GNU General Public License v3.0
53 stars 8 forks source link

"status: pending" persists forever after an ACME response was sent successfully #40

Open hrs-allbsd opened 6 months ago

hrs-allbsd commented 6 months ago

POST requests to https://acme.castle.cloud:443/acme/authz/xxx always return with "status: pending," and eventually, cli.py fails with the "All authorizations were not finalized by the CA" error message. This is almost the same symptom as #39. Is this a problem on the server side, or is something wrong with the client? The log file was something like this:

2024-04-10 01:29:57,533:DEBUG:acme.client:Sending POST request to https://acme.castle.cloud/acme/authz/LpyA01qwQLP:
{
  "protected": "xxx",
  "signature": "xxx",
  "payload": ""
}
2024-04-10 01:29:57,874:DEBUG:urllib3.connectionpool:https://acme.castle.cloud:443 "POST /acme/authz/xxx HTTP/1.1" 200 None
2024-04-10 01:29:57,874:DEBUG:acme.client:Received response:
HTTP 200
Date: Tue, 09 Apr 2024 16:29:57 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
location: https://acme.castle.cloud/acme/authz/xxx
replay-nonce: xxx
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: same-origin
vary: Origin
access-control-allow-origin: *
strict-transport-security: max-age=7776000
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jxxx"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 871be1032d29f68d-NRT
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400

{"status": "pending", "expires": "2024-04-10T16:14:09.501Z", "identifier": {"type": "dns", "value": "foo@example.com"}, "challenges": [{"url": "https://acme.castle.cloud/acme/chall/xxx", "type": "email-reply-00", "token": "xxx", "status": "processing", "from": "acme+xxx@castle.cloud"}]}
Gradinko commented 4 months ago

I have the same issue using the interactive approach using version 0.14.1. See the command I ran:

python3 cli.py cert --config-dir . --work-dir . --logs-dir . -e XX@XX.com --XX@XX.com --usage digitalSignature --usage keyEncipherment --usage contentCommitment --usage keyAgreement --passphrase XXXXXXXXXXX

I get the email and send the requested response back and wait until I am met with:

2024-06-06 10:20:20,202:DEBUG:urllib3.connectionpool:https://acme.castle.cloud:443 "POST /acme/authz/gwQ4NzSQf5W HTTP/1.1" 200 None
2024-06-06 10:20:20,203:DEBUG:acme.client:Received response:
HTTP 200
Date: Thu, 06 Jun 2024 14:20:20 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
location: https://acme.castle.cloud/acme/authz/gwQ4NzSQf5W
replay-nonce: 6dKdx70DRXjdfIzdBHyTnA
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: same-origin
vary: Origin
access-control-allow-origin: *
strict-transport-security: max-age=7776000
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdDsiCTv2GJy62I1GfeuVS8se0sIryxkuU2syI%2BVsxm5QZ6WkzCiF2KfrfFG7e1rUvmxp8BBk5fp5zBu6H2M71BSqS1q7NzEwkMnxRWs4gcQTGlX7HR1LKmSuA3E3YkZdcJKCQiQuyvv0AXcuWxkaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 88f90ae18e68233b-ORD
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400

{"status": "pending", "expires": "2024-06-07T14:18:27.737Z", "identifier": {"type": "dns", "value": "XX@XX.com"}, "challenges": [{"url": "https://acme.castle.cloud/acme/chall/5hQVEAke23U", "type": "email-reply-00", "token": "XXXXXXXX", "status": "processing", "from": "acme+0hM3PIhKkYw@castle.cloud"}]}
2024-06-06 10:20:20,203:DEBUG:acme.client:Storing nonce: XXXXX
2024-06-06 10:20:20,208:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 216, in _poll_authorizations
    raise errors.AuthorizationError('All authorizations were not finalized by the CA.')
certbot.errors.AuthorizationError: All authorizations were not finalized by the CA.

2024-06-06 10:20:20,209:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-06-06 10:20:20,209:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-06-06 10:20:20,209:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/private/tmp/acme_email-0.14.1/cli.py", line 264, in <module>
    main(args)
  File "/private/tmp/acme_email-0.14.1/cli.py", line 202, in main
    request_cert(args, config)
  File "/private/tmp/acme_email-0.14.1/cli.py", line 124, in request_cert
    cert_path, chain_path, fullchain_path = certbot_main._csr_get_and_save_cert(config, le_client)
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/main.py", line 1516, in _csr_get_and_save_cert
    cert, chain = le_client.obtain_certificate_from_csr(csr)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/client.py", line 334, in obtain_certificate_from_csr
    orderr = self._get_order_and_authorizations(csr.data, best_effort=False)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/private/tmp/acme_email-0.14.1/venv/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 216, in _poll_authorizations
    raise errors.AuthorizationError('All authorizations were not finalized by the CA.')
certbot.errors.AuthorizationError: All authorizations were not finalized by the CA.
2024-06-06 10:20:20,213:ERROR:certbot._internal.log:All authorizations were not finalized by the CA.
Gradinko commented 4 months ago

For what it's worth, I re-ran the same code and encountered the following error: 

An unexpected error occurred:
wrong keyUsage extension

After I removed the --usage keyAgreement flag, it correctly issued the certificate.