Sorry I don't have a diff for this. I just had a renewal on letsencrypt staging fail; status went from PENDING->READY->PROCESSING when acme-client netproc was expecting only INVALID/VALID/PENDING/READY.
>From https://www.rfc-editor.org/rfc/rfc8555#page-48 o "processing": The certificate is being issued. Send a POST-as-GET request after the time given in the Retry-After header field of the response, if any. Ordering again worked. Presumably, with current lifetimes, daily cronjobs are likely to result in a working order before expiry - so it's not urgent at the moment - but with the trajectory of reduced lifetimes I think it will become more important to handle in a single run of acme-client. I suspect we see this a) when CA issuance is running slowly or b) if there's a CA bug where it doesn't move to INVALID correctly (there are reports in the past of orders getting stuck on PROCESSING) so actually reproducing on an internet CA is likely to be awkward, but also it would seem prudent to cap any retries either by number of attempts or overall time. Redacted -vv output: acme-client: /etc/ssl/private/(domain).key: loaded domain key acme-client: /etc/acme/letsencrypt-staging-privkey.pem: loaded account key acme-client: /etc/ssl/(domain).crt: certificate renewable: 29 days left acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 172.65.46.172 acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 2606:4700:60:0:f41b:d4fe:4325:6026 acme-client: transfer buffer: [{ "Np6Hc1INlmg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";, "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change";, "meta": { "caaIdentities": [ "letsencrypt.org" ], "profiles": { "classic": "https://letsencrypt.org/docs/profiles#classic";, "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)", "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)" }, "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf";, "website": "https://letsencrypt.org/docs/staging-environment/"; }, "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct";, "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce";, "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order";, "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo";, "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"; }] (1116 bytes) acme-client: account key: https://acme-staging-v02.api.letsencrypt.org/acme/acct/(acct) acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n": "(redacted)", "e": "(redacted)" }, "createdAt": "2020-02-04T11:54:20Z", "status": "valid" }] (808 bytes) acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-03-19T11:08:03Z", "identifiers": [ { "type": "dns", "value": "(domain)" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" }] (364 bytes) acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth) acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "(domain)" }, "status": "pending", "expires": "2025-03-19T11:08:03Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", "status": "pending", "token": "(token)" }, { "type": "tls-alpn-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", "status": "pending", "token": "(token)" }, { "type": "dns-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", "status": "pending", "token": "(token)" } ] }] (843 bytes) acme-client: challenge, token: (token), uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted), status: 0 acme-client: /var/www/letsencrypt/.well-known/acme-challenge/(token): created acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted): challenge acme-client: transfer buffer: [{ "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", "status": "pending", "token": "(token)" }] (200 bytes) acme-client: transfer buffer: [{ "status": "pending", "expires": "2025-03-19T11:08:03Z", "identifiers": [ { "type": "dns", "value": "(domain)" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" }] (364 bytes) acme-client: order.status 0 acme-client: dochngreq: https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth) acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "(domain)" }, "status": "valid", "expires": "2025-04-11T11:08:06Z", "challenges": [ { "type": "http-01", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted)", "status": "valid", "validated": "2025-03-12T11:08:05Z", "token": "(token)", "validationRecord": [ { "url": "http://(domain)/.well-known/acme-challenge/(token)", "hostname": "(domain)", "port": "80", "addressesResolved": [ "(ip)" ], "addressUsed": "(ip)" } ] } ] }] (786 bytes) acme-client: challenge, token: (token), uri: https://acme-staging-v02.api.letsencrypt.org/acme/chall/(acct)/(auth)/(redacted), status: 2 acme-client: transfer buffer: [{ "status": "ready", "expires": "2025-03-19T11:08:03Z", "identifiers": [ { "type": "dns", "value": "(domain)" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" }] (362 bytes) acme-client: order.status 1 acme-client: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final): certificate acme-client: transfer buffer: [{ "status": "processing", "expires": "2025-03-19T11:08:03Z", "identifiers": [ { "type": "dns", "value": "(domain)" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" }] (367 bytes) acme-client: transfer buffer: [{ "status": "processing", "expires": "2025-03-19T11:08:03Z", "identifiers": [ { "type": "dns", "value": "(domain)" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz/(acct)/(auth)" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(acct)/(final)" }] (367 bytes) acme-client: order.status 2 acme-client: unhandled status: 2 acme-client: bad exit: netproc(18700): 1
