For some, but not all, of the domains on my server, running sympl-ssl gives the error !! Failed: Order’s status (“pending”) is not acceptable for finalization. I’ve been in touch with Let’s Encrypt, and they say there’s not enough information in the output to know exactly what’s going on. Is there a log somewhere, perhaps? Or a mode more verbose than that invoked by --verbose?
It also happens with these domains on the same server:
…but not others, and I can’t see any obvious ways in which the failing domains differ from the ones that work.
All sugestions gratefully received!
Thanks,
Ben
Any Error Messages
* Examining certificates for newdealstringband.com
SSL set 0: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 1: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 2: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 3: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 4: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 5: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 6: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 7: Not valid for newdealstringband.com -- certificate has expired (10)
SSL set 8: Not valid for newdealstringband.com -- certificate has expired (10)
Current SSL set 13: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2022-01-02 00:50:57 UTC
The current certificate expires in 25 days.
Fetching a new certificate from LetsEncrypt.
Requesting verification for newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
Successfully verified newdealstringband.com
Requesting verification for www.newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
Successfully verified www.newdealstringband.com
!! Failed: Order's status ("pending") is not acceptable for finalization
Can you confirm what versions of the Sympl packages you have installed with dpkg -l 'sympl*'?
In a nutshell, the way the LE stuff works is by sympl-ssl ‘ordering’ a hostname, which then sends a code to do some basic processes on and place in /.well-known/acme-challenge, then it retrieves the content from multiple locations, and if it matches then it’s verified, and added to the final order, otherwise dropped from the order, until all the relevant hostnames have been dealt with, and the order is finalised, and you get the cert.
Checking the site though, I can see there’s a current cert there so it’s working okay now?
Sorry to have been so long replying — I’ve been away.
sympl@loris:~$ dpkg -l 'sympl*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-=============-============-==================================================================
ii sympl-backup 10.0.200706.0 all Automatically backup your files
un sympl-common <none> <none> (no description available)
ii sympl-core 10.20211213.0 all Easy, complete, and friendly server administration system
ii sympl-cron 10.0.190719.0 amd64 Provide per-domain crontab support
ii sympl-dns 10.0.190621.0 all Automatic DNS record creation and uploading for Bytemark customers
ii sympl-firewall 10.0.190918.0 amd64 Sympl firewall generator
ii sympl-ftp 10.0.190624.0 all Tools to manage FTP virtual hosting
ii sympl-mail 10.20210408.0 all virtual hosting solution for email
ii sympl-monit 10.0.200326.0 all Service monitoring and restarting
ii sympl-mysql 10.0.190731.0 all MySQL metapackage for Sympl.
un sympl-phpmyadmin <none> <none> (no description available)
ii sympl-updater 10.0.190621.0 all Automatic package upgrades
ii sympl-web 10.0.200909.2 amd64 Tools to manage Apache virtual hosting in Sympl
ii sympl-webmail 10.0.200127.0 all Provide webmail access to a Sympl system using Roundcube
sympl@loris:~$
sympl-common is not installed which seems weird to me, but then again I don’t really know what to expect.
Just for anyone else ending up here with the same problem, the relevant site was compromised, and content was being rewritten in an odd way which was preventing the certs from being issued correctly.
Kelduum, yes, thank you for this — I see that I had begun to compose a similar message but must have been distracted. My apologies. Your help was critical.