1

DNS challenge: authz is pending, challenge processing even after error is present

Hi Andriy Mahats,

I've noticed the following behavior when trying DNS validation with the ACME v2 (RFC 8555) staging endpoint: in case challenges fail, it sometimes happens that the challenge has the "error" field set, while the challenge is in "processing" state (and the corresponding authz object in "pending" state).

Here is a response I got to when GET-as-POST-ing https://api.test4.buypass.no/acme-v02/authz/J5xlz8e8Q5KS01bl03ymrYy9IVcCJ6cGwl5RlEfDZq4:

{
  "identifier": {
    "type": "dns",
    "value": "buypass.tlstest.fonga.ch"
  },
  "status": "pending",
  "challenges":  [
    {
      "type": "dns-01",
      "token": "42173FC770D4A8CB008FA0AC04775213A16F5662",
      "status": "processing",
      "validated": "2019-09-21T19:09:04Z",
      "error": {
        "code": 0,
        "type": "compound",
        "detail": "Errors during validation",
        "subproblems": [
          {
            "code": 0,
            "type": "urn:ietf:params:acme:error:incorrectResponse",
            "detail": "Response received didn't match the challenge's requirements"
          },
          {
            "code": 0,
            "type": "urn:ietf:params:acme:error:incorrectResponse",
            "detail": "Response received didn't match the challenge's requirements"
          }
        ]
      },
      "url": "https://api.test4.buypass.no/acme-v02/authz/J5xlz8e8Q5KS01bl03ymrYy9IVcCJ6cGwl5RlEfDZq4/1"
    }
  ],
  "wildcard": true
}

The HTTP status was 200, and the mdc-correlationid header had value "e7a27125-1452-4b83-82f4-b23e11779733".

According to https://tools.ietf.org/html/rfc8555#page-62,

A challenge object with an error MUST have status equal to "invalid".

Also, after a long time retrieving these objects, I eventually got an Internal Server Error:

{"code":500,"message":"INTERNAL_SERVER_ERROR","details":"HTTP 500 Internal Server Error"}

(Here, mdc-correlationid was "a7438e03-5412-4bd6-b4f7-c767cc4d54c9".)

Best regards,

Felix Fontein

1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Felix Fontein

     

    Thanks for providing the details, this made the investigation easier.

     

    We have implemented the retrying of challenges https://tools.ietf.org/html/rfc8555#section-8.2  However, we will not verify the challenge again until we get explicit request from client. The error field contains entries of failed validation queries. See also here https://tools.ietf.org/html/rfc8555#section-7.1.6 for state transition of challenge statuses.

     

    It seems to me that the “error” here https://tools.ietf.org/html/rfc8555#page-62 might refer generally to the failure of validation process, though the field with same name is part of challenge object.

     

    The 500-error is added to the bug-tracker and being investigated.

     

    Regards,

    Andriy

    Like
Like1
  • Status Answered
  • 1 Likes
  • 4 yrs agoLast active
  • 1Replies closed
  • 195Views
  • 3 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains