DNS challenge: authz is pending, challenge processing even after error is present

Hi Andriy Mahats,

I've noticed the following behavior when trying DNS validation with the ACME v2 (RFC 8555) staging endpoint: in case challenges fail, it sometimes happens that the challenge has the "error" field set, while the challenge is in "processing" state (and the corresponding authz object in "pending" state).

Here is a response I got to when GET-as-POST-ing https://api.test4.buypass.no/acme-v02/authz/J5xlz8e8Q5KS01bl03ymrYy9IVcCJ6cGwl5RlEfDZq4:

  "identifier": {
    "type": "dns",
    "value": "buypass.tlstest.fonga.ch"
  "status": "pending",
  "challenges":  [
      "type": "dns-01",
      "token": "42173FC770D4A8CB008FA0AC04775213A16F5662",
      "status": "processing",
      "validated": "2019-09-21T19:09:04Z",
      "error": {
        "code": 0,
        "type": "compound",
        "detail": "Errors during validation",
        "subproblems": [
            "code": 0,
            "type": "urn:ietf:params:acme:error:incorrectResponse",
            "detail": "Response received didn't match the challenge's requirements"
            "code": 0,
            "type": "urn:ietf:params:acme:error:incorrectResponse",
            "detail": "Response received didn't match the challenge's requirements"
      "url": "https://api.test4.buypass.no/acme-v02/authz/J5xlz8e8Q5KS01bl03ymrYy9IVcCJ6cGwl5RlEfDZq4/1"
  "wildcard": true

The HTTP status was 200, and the mdc-correlationid header had value "e7a27125-1452-4b83-82f4-b23e11779733".

According to https://tools.ietf.org/html/rfc8555#page-62,

A challenge object with an error MUST have status equal to "invalid".

Also, after a long time retrieving these objects, I eventually got an Internal Server Error:

{"code":500,"message":"INTERNAL_SERVER_ERROR","details":"HTTP 500 Internal Server Error"}

(Here, mdc-correlationid was "a7438e03-5412-4bd6-b4f7-c767cc4d54c9".)

Best regards,

Felix Fontein

1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Replies are closed
  • Status Answered
  • 3 yrs agoLast active
  • 1Replies closed
  • 169Views
  • 3 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains