Open cowwoc opened 1 week ago
For errors on multiple identifiers, the CA is supposed to use subproblems (see RFC 8555 Section 6.7.1). Maybe it would be more useful to adapt this, e.g. by collecting all problems into sub-problems of a newly created parent problem.
@shred That sounds like the right way to go. So for reference, I'm using Let's Encrypt's staging server, using the http-01 challenge, and requesting a certificate for two domains (e.g. foo.redacted.com
and redacted.com
)
In my case, the order.getStatus()
returns INVALID
but order.getError()
returns Optional.empty()
. I believe this is a bug (maybe in Let's Encrypt) because if you invoke order.getAuthorizations()
you will get two entries, one of which returns this JSON:
{
"identifier": {
"type": "dns",
"value": "foo.redacted.app"
},
"status": "invalid",
"expires": "2024-10-22T16:38:07Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14439560183/-pBobg",
"status": "invalid",
"validated": "2024-10-15T16:38:07Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "104.247.245.31: Fetching https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo: Connection refused",
"status": 400
},
"token": "JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
"validationRecord": [
{
"url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
"hostname": "foo.redacted.app",
"port": "80",
"addressesResolved": [
"104.247.245.31",
"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
],
"addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
},
{
"url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
"hostname": "foo.redacted.app",
"port": "80",
"addressesResolved": [
"104.247.245.31",
"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
],
"addressUsed": "104.247.245.31"
},
{
"url": "https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
"hostname": "foo.redacted.app",
"port": "443",
"addressesResolved": [
"104.247.245.31",
"2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
],
"addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
}
]
}
]
}
Regardless of who's at fault, it would be better if acme4j returned a Problem
with one sub-problem per failed authorization. Agreed?
If you order a certificate for multiple domains, you will end up with multiple
Problem
s (one per challenge that failed). Can you please have AcmeServerException accept a list of problems? You can keep the existing methods, if necessary, and have them return the first entry in the list. You can add new methodsgetTypes()
andgetProblems()
to return the new list.