Using sympl-ssl gives "status [...] not acceptable for finalization"

spunto · 7 December 2021 15:54

Problem Description

For some, but not all, of the domains on my server, running sympl-ssl gives the error !! Failed: Order’s status (“pending”) is not acceptable for finalization. I’ve been in touch with Let’s Encrypt, and they say there’s not enough information in the output to know exactly what’s going on. Is there a log somewhere, perhaps? Or a mode more verbose than that invoked by --verbose?

It also happens with these domains on the same server:

7.hogsedge.net
blazingstrings.co.uk
hogsedge.net
hogsedge.org
longhillramblers.com
pepperpaley.com

…but not others, and I can’t see any obvious ways in which the failing domains differ from the ones that work.

All sugestions gratefully received!

Thanks,
Ben

Any Error Messages

* Examining certificates for newdealstringband.com
	SSL set 0: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 1: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 2: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 3: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 4: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 5: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 6: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 7: Not valid for newdealstringband.com -- certificate has expired (10)
	SSL set 8: Not valid for newdealstringband.com -- certificate has expired (10)
	Current SSL set 13: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2022-01-02 00:50:57 UTC
	The current certificate expires in 25 days.
	Fetching a new certificate from LetsEncrypt.
	Requesting verification for newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified newdealstringband.com
	Requesting verification for www.newdealstringband.com from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified www.newdealstringband.com
	!! Failed: Order's status ("pending") is not acceptable for finalization

Environment

Sympl Version 10.0
Sympl Testing Version? No
Debian Version Buster
Hardware Type? Virtual
Hosted On? Bytemark

Kelduum · 10 December 2021 20:41

That’s… unusual.

Can you confirm what versions of the Sympl packages you have installed with dpkg -l 'sympl*'?

In a nutshell, the way the LE stuff works is by sympl-ssl ‘ordering’ a hostname, which then sends a code to do some basic processes on and place in /.well-known/acme-challenge, then it retrieves the content from multiple locations, and if it matches then it’s verified, and added to the final order, otherwise dropped from the order, until all the relevant hostnames have been dealt with, and the order is finalised, and you get the cert.

Checking the site though, I can see there’s a current cert there so it’s working okay now?

spunto · 16 December 2021 13:44

Sorry to have been so long replying — I’ve been away.

sympl@loris:~$ dpkg -l 'sympl*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name             Version       Architecture Description
+++-================-=============-============-==================================================================
ii  sympl-backup     10.0.200706.0 all          Automatically backup your files
un  sympl-common     <none>        <none>       (no description available)
ii  sympl-core       10.20211213.0 all          Easy, complete, and friendly server administration system
ii  sympl-cron       10.0.190719.0 amd64        Provide per-domain crontab support
ii  sympl-dns        10.0.190621.0 all          Automatic DNS record creation and uploading for Bytemark customers
ii  sympl-firewall   10.0.190918.0 amd64        Sympl firewall generator
ii  sympl-ftp        10.0.190624.0 all          Tools to manage FTP virtual hosting
ii  sympl-mail       10.20210408.0 all          virtual hosting solution for email
ii  sympl-monit      10.0.200326.0 all          Service monitoring and restarting
ii  sympl-mysql      10.0.190731.0 all          MySQL metapackage for Sympl.
un  sympl-phpmyadmin <none>        <none>       (no description available)
ii  sympl-updater    10.0.190621.0 all          Automatic package upgrades
ii  sympl-web        10.0.200909.2 amd64        Tools to manage Apache virtual hosting in Sympl
ii  sympl-webmail    10.0.200127.0 all          Provide webmail access to a Sympl system using Roundcube
sympl@loris:~$

sympl-common is not installed which seems weird to me, but then again I don’t really know what to expect.

Thank you so much for your help

Kelduum · 27 January 2022 23:44

Just for anyone else ending up here with the same problem, the relevant site was compromised, and content was being rewritten in an odd way which was preventing the certs from being issued correctly.

spunto · 29 January 2022 13:10

Kelduum, yes, thank you for this — I see that I had begun to compose a similar message but must have been distracted. My apologies. Your help was critical.

system · 8 February 2022 13:11

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.