coolaj86
/
greenlock.js-ARCHIVED
3
3
Fork 0
Code Issues 13 Pull Requests 1 Releases Activity

Greenlock is stuck with challenge state "invalid", when I remove private key, it starts to work correctly #27

New Issue
Closed
opened 2018-12-12 16:11:22 +00:00 by Ghost · 7 comments
Ghost commented 2018-12-12 16:11:22 +00:00
Copy Link

I have an issue with some domains, which receive the error below.
When I remove primary key, it starts to work correctly. Do you have any ideas how to deal with issues like this?

15:55:40
[acme-v2] (E_STATE_INVALID) challenge state: 'invalid'
15:55:40
[acme-v2] handled(?) rejection as errback:
15:55:40
Error: [acme-v2] [error] unacceptable challenge state 'invalid'
15:55:40
at /srv/shorturl_redirector/node_modules/acme-v2/node.js:374:31
15:55:40
at process._tickCallback (internal/process/next_tick.js:68:7)
15:55:40
Error loading/registering certificate for 'el-jj15asmr.asmrtistunited.org':
15:55:40
Error: [acme-v2] [error] unacceptable challenge state 'invalid'
Error: [acme-v2] [error] unacceptable challenge state 'invalid'
I have an issue with some domains, which receive the error below. When I remove primary key, it starts to work correctly. Do you have any ideas how to deal with issues like this? ``` 15:55:40 [acme-v2] (E_STATE_INVALID) challenge state: 'invalid' 15:55:40 [acme-v2] handled(?) rejection as errback: 15:55:40 Error: [acme-v2] [error] unacceptable challenge state 'invalid' 15:55:40 at /srv/shorturl_redirector/node_modules/acme-v2/node.js:374:31 15:55:40 at process._tickCallback (internal/process/next_tick.js:68:7) 15:55:40 Error loading/registering certificate for 'el-jj15asmr.asmrtistunited.org': 15:55:40 Error: [acme-v2] [error] unacceptable challenge state 'invalid' Error: [acme-v2] [error] unacceptable challenge state 'invalid' ```
coolaj86 commented 2018-12-12 16:17:04 +00:00
Owner
Copy Link

See the troubleshooting guide and first 2 videos at
https://git.coolaj86.com/coolaj86/greenlock-express.js

It sounds like you’re adding new domains and probably just need to use the approveDomains callback (or a more sophisticated storage plugin).

See the troubleshooting guide and first 2 videos at https://git.coolaj86.com/coolaj86/greenlock-express.js It sounds like you’re adding new domains and probably just need to use the approveDomains callback (or a more sophisticated storage plugin).
Ghost commented 2018-12-12 18:15:20 +00:00
Author
Copy Link

The problem is not the error, it happens - some network issues, DNS cache and so on.

The problem is that this problem stays even when the original problem disappears and it requires manual intervention to be solved.

I have 10000+ domains in a system and fixing every domain is not a solution. It would be nice if you can suggest me how to implement a solution and I'll send a pull request

The problem is not the error, it happens - some network issues, DNS cache and so on. The problem is that this problem stays even when the original problem disappears and it requires manual intervention to be solved. I have 10000+ domains in a system and fixing every domain is not a solution. It would be nice if you can suggest me how to implement a solution and I'll send a pull request
Ghost commented 2018-12-12 18:17:58 +00:00
Author
Copy Link

PS: for 99% of domains everything works fine

PS: for 99% of domains everything works fine
coolaj86 commented 2019-02-05 05:13:38 +00:00
Owner
Copy Link

There were some problems with the way the primary key thumbprint was being generated in some cases. I think that may have been related to this. I published the fix a while ago, but forgot to update you here.

I'm going to close this out, but please reopen it if this happens again with the latest version.

There were some problems with the way the primary key thumbprint was being generated in some cases. I think that may have been related to this. I published the fix a while ago, but forgot to update you here. I'm going to close this out, but please reopen it if this happens again with the latest version.
Ghost commented 2019-04-17 03:47:34 +00:00
Author
Copy Link

@coolaj86 I am experiencing a similar issue. I have around 5,000 relatively low traffic domains. The vast majority work perfectly, but every once in a while I run into one that just won't validate, giving the error "unacceptable challenge state 'invalid'".

I have gone through all the troubleshooting steps and nothing seems to work. Every request to the domain results in the above error. Then it creates the directory for the domain in acme/live, with only privkey.pem inside of it. Deleting the directory for the domain doesn't seem to solve it.

@gugu, is that what you mean by removing the "primary key."

Any advice or direction you could be me here would be really helpful, thanks.

@coolaj86 I am experiencing a similar issue. I have around 5,000 relatively low traffic domains. The vast majority work perfectly, but every once in a while I run into one that just won't validate, giving the error "unacceptable challenge state 'invalid'". I have gone through all the troubleshooting steps and nothing seems to work. Every request to the domain results in the above error. Then it creates the directory for the domain in acme/live, with only `privkey.pem` inside of it. Deleting the directory for the domain doesn't seem to solve it. @gugu, is that what you mean by removing the "primary key." Any advice or direction you could be me here would be really helpful, thanks.
coolaj86 commented 2019-04-17 04:06:27 +00:00
Owner
Copy Link

Especially in light of the cleanup as part of the transition to v2.7+ / v3 it's very likely that the issue is specific to your situation, and not an issue with Greenlock itself.

Off the cuff my guess is that either you're over your limit per IP or the domain that you're trying to validate is a special non-supported tld (i.e. .newthing not .com) or that the domain has a CAA record set.

We're going to start offering commercial licensing and business support plans for priority support for these types of issues. As of right now I can offer consulting at an hourly rate to help troubleshoot. Please send an email to aj@therootcompany.com with your timezone and specific details about the failing domains.

We can get on a screen share and take a look at logs, get into specifics more than what you might want to share publicly on an issue, and quickly debug it.

Especially in light of the cleanup as part of the transition to v2.7+ / v3 it's very likely that the issue is specific to your situation, and not an issue with Greenlock itself. Off the cuff my guess is that either you're over your limit per IP or the domain that you're trying to validate is a special non-supported tld (i.e. `.newthing` not `.com`) or that the domain has a CAA record set. We're going to start offering commercial licensing and business support plans for priority support for these types of issues. As of right now I can offer consulting at an hourly rate to help troubleshoot. Please send an email to aj@therootcompany.com with your timezone and specific details about the failing domains. We can get on a screen share and take a look at logs, get into specifics more than what you might want to share publicly on an issue, and quickly debug it.
Ghost commented 2019-04-17 04:39:37 +00:00
Author
Copy Link

Thanks, I just sent you an email.

Thanks, I just sent you an email.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
github
next
v4
npm
v3
wip
dns-challenge-regression-fix
v2.4
v2.5
v2.3
v2
v2.2
acmev2
v2.1
greenlock
v1
node-letsencrypt-python
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.5
v3.1.4
v3.1.3
v3.0.25
v3.0.24
v3.0.23
v3.0.21
v3.0.20
v3.0.19
v3.0.18
v3.0.17
v3.0.16
v3.0.15
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.23
v2.7.22
v2.7.21
v2.7.20
v2.7.19
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.14
v2.7.13
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.10
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.2
v2.4.1
v2.4.0
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.0
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v1.5.8
v2.0.5
v2.0.4
v1.5.7
v1.5.6
v1.5.5
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.2
v1.0.0
v1.0.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#27
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?