search

shred / acme4j

Java client for ACME (Let's Encrypt)
https://acme4j.shredzone.org
Apache License 2.0
509 stars 93 forks source link

The challenge status is always "INVALID" #133

Closed fsl1994 closed 1 year ago

fsl1994 commented 1 year ago

Hello, I have a question for you. One of my domain name generated certificate, after polling verification, the status of the current challenge has been "PENDING", such (http://%s/.well-known/acme-challenge/%s) verification file is accessed. Why is the challenge that validation is always "PENDING"? Can you provide any possible reasons? Looking forward to your reply

ejfcGV4zee

UHITFIZpmI

shred commented 1 year ago

The reason might be too much of optimizing... :wink:

This is an extract of your code:

while (status != Status.VALID && attempts-- > 0) {
  if (status == Status.INVALID) {
     Debug.logInfo("...");
  }
  Thread.sleep(3000L);
  challenge.update();
}

In the while condition you check if the status variable changes to VALID. But inside the loop you never write a new status to the variable, so it will never change its value.

You could try this:

  challenge.update();
  status = challenge.getStatus();

Does it fix your issue?

fsl1994 commented 1 year ago

Thank you very much. I'll try. I am not familiar with this framework, and this code is to copy the test exmaple you provided. I would like to ask another question, is it possible that the problem is the domain name? However, the domain name I want to test and the dns resolution are all correct. This domain name was bought from a relatively small domain name service provider.

shred commented 1 year ago

Your code is similar to my example, but it has a major difference: instead of invoking challenge.getStatus() it only reads a status variable. This is causing the problem.

Your code might have worked in the past. However, Let's Encrypt is switching to an asynchronous finalization process, which means that the order status is now processing first, which is the behavior that you are seeing. I recommend to change your code, because it definitely won't work like that with the asynchronous finalization.

I don't know if Let's Encrypt has some kind of "negative list" for domain names, but I think it is very unlikely that the domain name (or the domain seller) is a problem here.

fsl1994 commented 1 year ago

Got it,thank you

shred commented 1 year ago

You're welcome! If there is still a problem after you changed your code, feel free to reopen this bug.