When challenge is in "valid" state setChallenge shouldn't be called again. #11

Nový úkol

zavřený

otevřeno 2019-01-17 15:18:01 +00:00 uživatelem Ghost · 16 komentářů

Ghost okomentoval 2019-01-17 15:18:01 +00:00

Kopírovat odkaz

hi,

According to letsencrypt, the challenge is valid for 30 days.
in acmev2.js implementation, setChallenge is always called, even if the challenge is in valid status.
The expected behavior was to finalize the order immediately without trying to set the challenge again.

hi, According to letsencrypt, the challenge is valid for 30 days. in `acmev2.js` implementation, `setChallenge` is always called, even if the challenge is in `valid` status. The expected behavior was to finalize the order immediately without trying to set the challenge again.

Ghost okomentoval 2019-01-21 07:12:38 +00:00

Autor

Kopírovat odkaz

Seeing this error as well:

{"type":"error","text":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n  \"type\": \"urn:ietf:params:acme:error:malformed\",\n  \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n  \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js"}],"stack":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n  \"type\": \"urn:ietf:params:acme:error:malformed\",\n  \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n  \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js\n    at /api/node_modules/acme-v2/node.js:547:29\n    at <anonymous>\n    at process._tickCallback (internal/process/next_tick.js:189:7)"}

When testing with Pebble using version draft-11 & draft-12.

Seeing this error as well: ```json {"type":"error","text":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n \"type\": \"urn:ietf:params:acme:error:malformed\",\n \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js"}],"stack":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n \"type\": \"urn:ietf:params:acme:error:malformed\",\n \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js\n at /api/node_modules/acme-v2/node.js:547:29\n at <anonymous>\n at process._tickCallback (internal/process/next_tick.js:189:7)"} ``` When testing with [Pebble](https://github.com/letsencrypt/pebble/) using version draft-11 & draft-12.

Ghost okomentoval 2019-01-21 11:26:18 +00:00

Autor

Kopírovat odkaz

I think it can be easily fixed by adding the condition:

            return challenge.status === 'valid' ? Promise.resolve() : ACME._postChallenge(me, options, results.identifier, challenge);

to the end of:

          return ACME._getChallenges(me, options, authUrl).then(function (results) {

I think it can be easily fixed by adding the condition: ``` return challenge.status === 'valid' ? Promise.resolve() : ACME._postChallenge(me, options, results.identifier, challenge); ``` to the end of: ``` return ACME._getChallenges(me, options, authUrl).then(function (results) { ```

Ghost okomentoval 2019-01-26 20:58:39 +00:00

Autor

Kopírovat odkaz

I tried @cojalvo's recommendation but it didn't help. Here's a more complete debug log:

[acme-v2.js] challenge accepted!
{ 'cache-control': 'public, max-age=0, no-cache',
  'content-type': 'application/json; charset=utf-8',
  link:
   '<https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECAoabY7Tzx4kc4yrvtHZA2bo>;rel="up"',
  'replay-nonce': 'vGuBG2WmLJWajQjFDqNlKA',
  date: 'Sat, 26 Jan 2019 20:56:53 GMT',
  'content-length': '191',
  connection: 'close' }
{ type: 'http-01',
  url:
   'https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI',
  token: 'SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs',
  status: 'pending' }

respond to challenge: resp.body:
{ type: 'http-01',
  url:
   'https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI',
  token: 'SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs',
  status: 'pending' }

[DEBUG] statusChallenge

poll: valid
[greenlock/lib/core.js] removeChallenge called for 'nginx'

[DEBUG] getChallenges

[greenlock/lib/core.js] setChallenge called for 'api.nginx'

[DEBUG] waitChallengeDelay 500

[acme-v2.js] challenge accepted!
{ 'cache-control': 'public, max-age=0, no-cache',
  'content-type': 'application/json; charset=utf-8',
  link:
   '<https://pebble:14000/authZ/CH7hDeExIazjYdFJmNiTxIBUMeDQ3zrR9RDwD1by2Dc>;rel="up"',
  'replay-nonce': '1zsctO5Lm6tJjr_u1deAJg',
  date: 'Sat, 26 Jan 2019 20:56:55 GMT',
  'content-length': '191',
  connection: 'close' }
{ type: 'http-01',
  url:
   'https://pebble:14000/chalZ/7RXDxEfAyHdR7pfhspwT0wCHVlc75l7huoqNSJRUdJ4',
  token: '3uu8ih_fVQMNp1b_Gmmh1wK4hzW4v8fpwQibB3EUUMo',
  status: 'pending' }

respond to challenge: resp.body:
{ type: 'http-01',
  url:
   'https://pebble:14000/chalZ/7RXDxEfAyHdR7pfhspwT0wCHVlc75l7huoqNSJRUdJ4',
  token: '3uu8ih_fVQMNp1b_Gmmh1wK4hzW4v8fpwQibB3EUUMo',
  status: 'pending' }

[DEBUG] statusChallenge

poll: valid
[greenlock/lib/core.js] removeChallenge called for 'api.nginx'
[getCertificate] next.then
finalizeOrder:
finalize: https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus
order finalized: resp.body:
{ status: 'processing',
  expires: '2019-01-27T20:56:51Z',
  identifiers:
   [ { type: 'dns', value: 'admin.nginx' },
     { type: 'dns', value: 'api.nginx' },
     { type: 'dns', value: 'nginx' } ],
  finalize:
   'https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus',
  authorizations:
   [ 'https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECAoabY7Tzx4kc4yrvtHZA2bo',
     'https://pebble:14000/authZ/CH7hDeExIazjYdFJmNiTxIBUMeDQ3zrR9RDwD1by2Dc',
     'https://pebble:14000/authZ/We-3ylmt3JVoknU7DTrCqZyCl-xw8P7R0lgiWSQdBfM' ] }
finalize: https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus
order finalized: resp.body:
{ type: 'urn:ietf:params:acme:error:malformed',
  detail: 'Order\'s status ("valid") was not ready',
  status: 400 }
Error: bad status:
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Order's status (\"valid\") was not ready",
  "status": 400
}
[acme-v2] handled(?) rejection as errback:
Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...
Requested: 'api.nginx, admin.nginx, nginx'
Validated: 'api.nginx, admin.nginx, nginx'
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Order's status (\"valid\") was not ready",
  "status": 400
}

Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js
    at /api/node_modules/acme-v2/node.js:547:29
    at process._tickCallback (internal/process/next_tick.js:68:7)
{"code":400,"data":null,"error":true,"messages":[{"type":"error","text":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n  \"type\": \"urn:ietf:params:acme:error:malformed\",\n  \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n  \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js"}],"stack":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n  \"type\": \"urn:ietf:params:acme:error:malformed\",\n  \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n  \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js\n    at /api/node_modules/acme-v2/node.js:547:29\n    at process._tickCallback (internal/process/next_tick.js:68:7)"}

I tried @cojalvo's recommendation but it didn't help. Here's a more complete debug log: ``` [acme-v2.js] challenge accepted! { 'cache-control': 'public, max-age=0, no-cache', 'content-type': 'application/json; charset=utf-8', link: '<https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECAoabY7Tzx4kc4yrvtHZA2bo>;rel="up"', 'replay-nonce': 'vGuBG2WmLJWajQjFDqNlKA', date: 'Sat, 26 Jan 2019 20:56:53 GMT', 'content-length': '191', connection: 'close' } { type: 'http-01', url: 'https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI', token: 'SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs', status: 'pending' } respond to challenge: resp.body: { type: 'http-01', url: 'https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI', token: 'SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs', status: 'pending' } [DEBUG] statusChallenge poll: valid [greenlock/lib/core.js] removeChallenge called for 'nginx' [DEBUG] getChallenges [greenlock/lib/core.js] setChallenge called for 'api.nginx' [DEBUG] waitChallengeDelay 500 [acme-v2.js] challenge accepted! { 'cache-control': 'public, max-age=0, no-cache', 'content-type': 'application/json; charset=utf-8', link: '<https://pebble:14000/authZ/CH7hDeExIazjYdFJmNiTxIBUMeDQ3zrR9RDwD1by2Dc>;rel="up"', 'replay-nonce': '1zsctO5Lm6tJjr_u1deAJg', date: 'Sat, 26 Jan 2019 20:56:55 GMT', 'content-length': '191', connection: 'close' } { type: 'http-01', url: 'https://pebble:14000/chalZ/7RXDxEfAyHdR7pfhspwT0wCHVlc75l7huoqNSJRUdJ4', token: '3uu8ih_fVQMNp1b_Gmmh1wK4hzW4v8fpwQibB3EUUMo', status: 'pending' } respond to challenge: resp.body: { type: 'http-01', url: 'https://pebble:14000/chalZ/7RXDxEfAyHdR7pfhspwT0wCHVlc75l7huoqNSJRUdJ4', token: '3uu8ih_fVQMNp1b_Gmmh1wK4hzW4v8fpwQibB3EUUMo', status: 'pending' } [DEBUG] statusChallenge poll: valid [greenlock/lib/core.js] removeChallenge called for 'api.nginx' [getCertificate] next.then finalizeOrder: finalize: https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus order finalized: resp.body: { status: 'processing', expires: '2019-01-27T20:56:51Z', identifiers: [ { type: 'dns', value: 'admin.nginx' }, { type: 'dns', value: 'api.nginx' }, { type: 'dns', value: 'nginx' } ], finalize: 'https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus', authorizations: [ 'https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECAoabY7Tzx4kc4yrvtHZA2bo', 'https://pebble:14000/authZ/CH7hDeExIazjYdFJmNiTxIBUMeDQ3zrR9RDwD1by2Dc', 'https://pebble:14000/authZ/We-3ylmt3JVoknU7DTrCqZyCl-xw8P7R0lgiWSQdBfM' ] } finalize: https://pebble:14000/finalize-order/8BufAp29nWAeAmpudeEFmiLB44PS-cAeAjx5DzzSKus order finalized: resp.body: { type: 'urn:ietf:params:acme:error:malformed', detail: 'Order\'s status ("valid") was not ready', status: 400 } Error: bad status: { "type": "urn:ietf:params:acme:error:malformed", "detail": "Order's status (\"valid\") was not ready", "status": 400 } [acme-v2] handled(?) rejection as errback: Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses... Requested: 'api.nginx, admin.nginx, nginx' Validated: 'api.nginx, admin.nginx, nginx' { "type": "urn:ietf:params:acme:error:malformed", "detail": "Order's status (\"valid\") was not ready", "status": 400 } Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js at /api/node_modules/acme-v2/node.js:547:29 at process._tickCallback (internal/process/next_tick.js:68:7) {"code":400,"data":null,"error":true,"messages":[{"type":"error","text":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n \"type\": \"urn:ietf:params:acme:error:malformed\",\n \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js"}],"stack":"Error: Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...\nRequested: 'api.nginx, admin.nginx, nginx'\nValidated: 'api.nginx, admin.nginx, nginx'\n{\n \"type\": \"urn:ietf:params:acme:error:malformed\",\n \"detail\": \"Order's status (\\\"valid\\\") was not ready\",\n \"status\": 400\n}\n\nPlease open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js\n at /api/node_modules/acme-v2/node.js:547:29\n at process._tickCallback (internal/process/next_tick.js:68:7)"} ```

Ghost okomentoval 2019-01-26 21:04:44 +00:00

Autor

Kopírovat odkaz

Also, curl against one of the authorization URLs shows that the authorization is in status "valid":

curl -k  https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECA
{
   "status": "valid",
   "identifier": {
      "type": "dns",
      "value": "nginx"
   },
   "challenges": [
      {
         "type": "http-01",
         "url": "https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI",
         "token": "SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs",
         "status": "valid",
         "validated": "2019-01-26T20:56:53Z"
      }
   ],
   "expires": "2019-01-26T21:56:53Z"
}

It sounds to me like maybe the order is already finalized but it's still trying to do it again?

Also, curl against one of the authorization URLs shows that the authorization is in status "valid": ``` curl -k https://pebble:14000/authZ/CLIDUyHXsnOnYYjVYWECA { "status": "valid", "identifier": { "type": "dns", "value": "nginx" }, "challenges": [ { "type": "http-01", "url": "https://pebble:14000/chalZ/aX0TocDlSsIxP0vwjsbRLKWcKttnI4orzo-6pswvJaI", "token": "SXupDAT7M3BErUYvTrt5drBy2780hS1BuxpcPGnwQKs", "status": "valid", "validated": "2019-01-26T20:56:53Z" } ], "expires": "2019-01-26T21:56:53Z" } ``` It sounds to me like maybe the order is already finalized but it's still trying to do it again?

Ghost okomentoval 2019-01-28 08:44:56 +00:00

Autor

Kopírovat odkaz

@cabloo im not sure that the issue you are facing is the same one i report on.

@cabloo im not sure that the issue you are facing is the same one i report on.

coolaj86 okomentoval 2019-02-05 05:32:53 +00:00

Vlastník

Kopírovat odkaz

Looking into this now...

Looking into this now...

coolaj86 odkázal na tento úkol z commitu 2019-02-05 06:01:01 +00:00

#11 skip challenge when valid

coolaj86 odkázal na tento úkol z commitu 2019-02-05 06:04:31 +00:00

#11 skip challenge when valid

coolaj86 okomentoval 2019-02-05 06:05:09 +00:00

Vlastník

Kopírovat odkaz

@cojalvo Would you mind testing this patch?

• https://git.coolaj86.com/coolaj86/acme-v2.js/src/branch/skip-valid-challenge
• f0f9feb519

@cojalvo Would you mind testing this patch? * https://git.coolaj86.com/coolaj86/acme-v2.js/src/branch/skip-valid-challenge * https://git.coolaj86.com/coolaj86/acme-v2.js/commit/f0f9feb519f82c9c766bb467762078220688f187

coolaj86 okomentoval 2019-02-05 06:09:56 +00:00

Vlastník

Kopírovat odkaz

@cabloo, I'm not sure what to make of that error report, but I think it deserves a separate issue.

I've never tested Greenlock or ACME.js with faux domain names like that (api.nginx), so I'm not sure how it will handle them.

Perhaps you could set a few example.com domains in your /etc/hosts (such as test.example.com) and see if you still get those errors?

@cabloo, I'm not sure what to make of that error report, but I think it deserves a separate issue. I've never tested Greenlock or ACME.js with faux domain names like that (`api.nginx`), so I'm not sure how it will handle them. Perhaps you could set a few `example.com` domains in your `/etc/hosts` (such as `test.example.com`) and see if you still get those errors?

Ghost okomentoval 2019-02-05 06:17:24 +00:00

Autor

Kopírovat odkaz

@coolaj86 i will check that and let you know.
Thanks!

@coolaj86 i will check that and let you know. Thanks!

Ghost okomentoval 2019-02-14 13:19:24 +00:00

Autor

Kopírovat odkaz

@coolaj86 i test you fix (skip-valid-challenge) and it looks good.

When it gone be merged?

Thanks!

@coolaj86 i test you fix (skip-valid-challenge) and it looks good. When it gone be merged? Thanks!

Ghost okomentoval 2019-03-11 13:57:41 +00:00

Autor

Kopírovat odkaz

Looking forward for this fix as well.

Looking forward for this fix as well.

coolaj86 okomentoval 2019-03-14 18:11:33 +00:00

Vlastník

Kopírovat odkaz

Sorry guys, merging this in now.

Sorry guys, merging this in now.

coolaj86 odkázal na tento úkol z commitu 2019-03-14 18:15:23 +00:00

v1.5.3: merge fix for #11

coolaj86 okomentoval 2019-03-14 18:18:08 +00:00

Vlastník

Kopírovat odkaz

Published as v1.5.3

Published as v1.5.3

coolaj86 uzavřel/a tento úkol 2019-03-14 18:18:08 +00:00

Ghost znovuotevřel/a tento úkol 2019-05-20 09:50:05 +00:00

Ghost okomentoval 2019-05-20 09:55:31 +00:00

Autor

Kopírovat odkaz

@coolaj86 I find a bug in the fix.
When the order is for multi-domains certificate. it may happen that only one of the authorization will be in a valid state and the other is still pending since the user only satisfied a previous challenge for only one of the domains.
By returning from the next() function we skip the validation of the rest of the domains in the order.
The correct fix will be:

   if ("valid" === challenge.status) {
              return next();
            }

@coolaj86 I find a bug in the fix. When the order is for multi-domains certificate. it may happen that only one of the authorization will be in a valid state and the other is still pending since the user only satisfied a previous challenge for only one of the domains. By returning from the `next()` function we skip the validation of the rest of the domains in the order. The correct fix will be: ``` if ("valid" === challenge.status) { return next(); } ```

coolaj86 okomentoval 2019-05-20 14:03:15 +00:00

Vlastník

Kopírovat odkaz

@cojalvo Have you tried v1.7.7?

I believe that was already fixed.

@cojalvo Have you tried v1.7.7? I believe that was already fixed.

coolaj86 odkázal na tento úkol z commitu 2019-10-21 20:56:25 +00:00

#11 skip challenge when valid

coolaj86 odkázal na tento úkol z commitu 2019-10-21 20:56:25 +00:00

v1.5.3: merge fix for #11

coolaj86 okomentoval 2020-04-21 07:54:55 +00:00

Vlastník

Kopírovat odkaz

Reworked in v3.

Reworked in v3.

coolaj86 uzavřel/a tento úkol 2020-04-21 07:54:56 +00:00

Přihlaste se pro zapojení do konverzace.

Není určena žádná větev/značka

Větve Značky

master

v3

v1

wip-v3

browser-v2

errors

v2

skip-valid-challenge

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.2

v3.0.1

v1.8.6

v1.8.5

v1.8.4

v1.8.2

v1.8.1

v1.8.0

v1.7.7

v1.7.6

v1.7.5

v1.7.3

v1.7.2

v1.7.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.3.1

v1.3.0

v1.2.1

v1.2.0

v1.1.1

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v0.6.2

v0.6.1

v0.6.0

v0.0.2

Štítky

Zrušit štítky

Žádné položky

Bez štítku

Milník

Smazat milník

Žádné položky

Bez milníku

Zpracovatelé

Smazat zpracovatele

Bez zpracovatelů

2 účastníků

Oznámení

Odebírat

Termín dokončení

Termín dokončení není platný nebo je mimo rozsah. Použijte prosím formát „rrrr-mm-dd“.

Žádný termín dokončení.

Závislosti

Nejsou nastaveny žádné závislosti.

Reference: coolaj86/acme.js-ARCHIVED#11

No description provided.