LetsEncrypt-Staging returned ResourceUrl and AuthorizationUrls do not work properly about acme-ps HOT 10 CLOSED

Solved via #79 and published with 1.1.8

from acme-ps.

The problem here is the following probably:
The URLs returned aren't to be called with GET anymore but POST-as-GET, since LE wants all requests to be authorized.
The module itself uses Invoke-SignedWebRequest (or Invoke-AcmeSignedWebRequest) for that, which is an internal function.

That function could probably be public, so you could use it to query the exact error.

[X] Make Invoke-SignedWebRequest public

from acme-ps.

Solved in the next version (will drop next week)

from acme-ps.

Hi Thomas,
I'm using v1.1.7 code version now, and can execute "Invoke-AcmeSignedWebRequest" to get the status of an order.

In my script, it seems to fail the challenge about 50% of the time but other times works fine (in Staging).

I've included in the script the WebRequest above for the Order RequestUri to see the status. I'm not seeing anything to help me figure out how or why it would fail. Can you guide me?

An example would be an invalid order as per below:

RequestUri   : https://acme-staging-v02.api.letsencrypt.org/acme/order/13231395/86448230
StatusCode   : 200
NextNonce    : 00024KG_hCKr1eKQ9XxCHIiRs814csCVlYG2diO0VgXbcW8
Headers      : {Link, Server, Date, Strict-Transport-Security...}
Content      : @{status=invalid; expires=2020-04-28T01:33:24Z; identifiers=System.Object[]; 
               authorizations=System.Object[]; 
               finalize=https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13231395/86448230}
IsError      : False
ErrorMessage :

Any more ideas on how to debug the intermittent failure?
Thanks heaps!

from acme-ps.

You might want to try $response.Content to get more information. The Object should not be a string and it says "identifiers" and "authorizations"=System.Object[], which might be an "render-artifact" (currently you are seeing the default output for custom-classes in powershell, with no formatting).

Also you probably could use the autzorizations requestURI to get an more precise error message.

from acme-ps.

I'm having the exact same issue, and I have tried literally everything...

from acme-ps.

Wow, very embarrassing, im using Azure DNS, and the txt record name I add was malfunctioned / wrong.
I have fixed that now. So all is working....

from acme-ps.

It's always DNS ;)

Joke aside - what could the module do, to help you find the error message faster? (If you had a magic wand)

from acme-ps.

It's always DNS ;)

Joke aside - what could the module do, to help you find the error message faster? (If you had a magic wand)

I have tried to debug this a bit, but I'm really not an expert or experienced with the protocol. Here's some more information. My cert request is for multiple sub-domains under the one parent domain. Not wildcard, just multiple dns entries. In my script it loops through each domain and tries to complete the challenge request for each domain. I noticed in a recent test that 2 of the 10 domains failed the challenge, but the others succeeded.

So why did 2 fail and the others succeed? They use the same process each time. So is there perhaps a race condition going on? I don't know. I'd like a way to easily see why two domains failed the challenge though. I will have to do more testing to see if I can get you more information as I know I'm not helping a lot. I just thought I'd mention it here.

Is there a way to implement a "reason_for_invalid_challenge()" type function which goes through each challenge response and looks for failure reasons?

from acme-ps.

IIRC the protocol will do something to the order in the case it's invalid, which allows to see the failing reasons - I'll take a look and see what can be done to improve the debugging experience.

from acme-ps.