New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V2 order ready status not recognized, causes deserialization error #5856
Comments
cpu
pushed a commit
to letsencrypt/boulder
that referenced
this issue
Apr 12, 2018
In #3614 we adjusted the `SA.NewOrder` function to conditionally call `ssa.statusForOrder` on the new order when `features.OrderReadyStatus` was enabled. Unfortunately this call to `ssa.statusForOrder` happened *before* the `req.BeganProcessing` field was initialized with a pointer to a `false` bool. The `ssa.statusForOrder` function (correctly) assumes that `req.BeganProcessing == nil` is illegal and doesn't correspond to a known status. This results in NewOrder requests returning a 500 error of the form: > Internal error - Error creating new order - Order XXX is in an invalid state. No state known for this order's authorizations Our integration tests missed this because we didn't have a test case that issued for a set of names with one account, and then issued again for the same set of names with the same account. This commit fixes the original bug by moving the `BeganProcessing` initialization before the call to `statusForOrder`. This commit also adds an integration test to catch this sort of bug again in the future. Prior to the SA fix this test failed with the 500 server internal error observed by the Certbot team. With the SA fix in place the test passes again. Finally, this commit disables the `OrderReadyStatus` feature flag in `test/config-next/sa.json`. Certbot's ACME implementation breaks when this flag is enabled (See certbot/certbot#5856). Since Certbot runs integration tests against Boulder with config-next we should be courteous and leave this flag disabled until we are closer to being able to turn it on for staging/prod.
cpu
pushed a commit
to letsencrypt/boulder
that referenced
this issue
Apr 12, 2018
This commit disables the `OrderReadyStatus` feature flag in `test/config-next/sa.json`. Certbot's ACME implementation breaks when this flag is enabled (See certbot/certbot#5856). Since Certbot runs integration tests against Boulder with config-next we should be courteous and leave this flag disabled until we are closer to being able to turn it on for staging/prod.
jsha
added a commit
to letsencrypt/boulder
that referenced
this issue
Apr 12, 2018
In #3614 we adjusted the `SA.NewOrder` function to conditionally call `ssa.statusForOrder` on the new order when `features.OrderReadyStatus` was enabled. Unfortunately this call to `ssa.statusForOrder` happened *before* the `req.BeganProcessing` field was initialized with a pointer to a `false` bool. The `ssa.statusForOrder` function (correctly) assumes that `req.BeganProcessing == nil` is illegal and doesn't correspond to a known status. This results in `NewOrder` requests returning a 500 error of the form: > Internal error - Error creating new order - Order XXX is in an invalid state. No state known for this order's authorizations Our integration tests missed this because we didn't have a test case that issued for a set of names with one account, and then issued again for the same set of names with the same account. This PR fixes the original bug by moving the `BeganProcessing` initialization before the call to `statusForOrder`. This PR also adds an integration test to catch this sort of bug again in the future. Prior to the SA fix this test failed with the 500 server internal error observed by the Certbot team. With the SA fix in place the test passes again. Finally, this PR disables the `OrderReadyStatus` feature flag in `test/config-next/sa.json`. Certbot's ACME implementation breaks when this flag is enabled (See certbot/certbot#5856). Since Certbot runs integration tests against Boulder with config-next we should be courteous and leave this flag disabled until we are closer to being able to turn it on for staging/prod.
Hey just saw this! One of the triage methods we use is to scan for things without a label (since outside contributors can't add them), because that means no one on Certbot has taken a look yet. This will get in a sprint ASAP. |
@ohemorange Oops! I won't apply labels myself in the future. I didn't realize that was part of your triage workflow. Thanks for catching this & 5857 |
Merged
sauloperez
added a commit
to coopdevs/certbot_nginx
that referenced
this issue
Nov 21, 2018
This fixes the error ``` josepy.errors.DeserializationError: Deserialization error: Could not decode 'status' ('ready'): Deserialization error: Status not recognized 2018-11-21 12:36:10,048:ERROR:certbot.log:An unexpected error occurred: ``` when generating a certificate. By checking certbot/certbot#5856 we managed to trace back to the actual version of certbot that fixes this; 0.26.1. We also found that the `letsencrypt` package does not contain all dependencies (python3-certbot) and `certbot` should be used instead.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
Cloned from git:
I ran this command and it produced this output:
certbot_test --server http://localhost:4001/directory certonly --standalone -d one.wtf --preferred-challenges http-01
Note: This is against a Boulder instance configured with the
OrderReadyStatus
feature flag enabled (See letsencrypt/boulder#3644).Certbot's behavior differed from what I expected because:
Certbot POSTed
newOrder
. In response an order object with"status": "ready"
was returned. This caused aDeserializationError
indicating "Could not decode 'status' (u'ready'): Deserialization error: Status not recognized".The "ready" status was added to the ACME specification in draft-10 before Let's Encrypt launched its production ACMEv2 endpoint. Boulder does not use this new status in staging/production yet but we will in the near future (~next month).
Draft-10 says:
This state is used to indicate that an order is ready for finalization. Previously the order would remain in "processing" when all of its authorizations were in the "valid" state.
Here is a Certbot log showing the issue (if available):
The text was updated successfully, but these errors were encountered: