Avoid using acme.client poll_and_finalize() method
Closed, ResolvedPublic

Description

poll_and_finalize() method raises the same function if the deadline is reached during polling authorizations and during the order finalization, so certcentral cannot tell from the exception raised if the finalization request has been sent or not. In some scenarios this triggers the Order's status ("valid") is not acceptable for finalization error that it's been observed during the tests and in other tasks like T207725

Related Objects

Mentioned In
T209475: store non-config files in /var/lib/certcentral
rOSCC925f30781e3e: debian: Add release 0.7 to changelog
rOSCC1b703fe3cf77: Release 0.7
rOSCCf88358d69e2e: acme_requests: Fix finalize_order() exception handling
rOSCCdc9bbe53740b: Release 0.7
rOSCC4ef41c70e1f0: acme_requests: Fix finalize_order() exception handling
T208970: certcentral wrongly handles acme.errors.ValidationError exception
T208948: certcentral "wrongly" assumes that a new order always implies fulfilling new challenges
T208859: certcentral: keep track of orders and authorizations IDs when issuing certificates
rOSCC39e0a2e35866: debian: Add release 0.6 to changelog
rOSCC69fff94a8845: Release 0.6
rOSCC058861ec08f1: certcentral: Stop using acme.client.poll_and_finalize()
rOSCCd1583469c43c: Release 0.6
rOSCC8969ef7d32ed: certcentral: Stop using acme.client.poll_and_finalize()
rOSCC6169b5facae5: certcentral: Stop using acme.client.poll_and_finalize()
rOSCCd8ecb5c6b2d9: certcentral: Stop using acme.client.poll_and_finalize()
rOSCC2402b587c2ef: certcentral: Stop using acme.client.poll_and_finalize()
Mentioned Here
T209475: store non-config files in /var/lib/certcentral
T208859: certcentral: keep track of orders and authorizations IDs when issuing certificates
T208948: certcentral "wrongly" assumes that a new order always implies fulfilling new challenges
T208970: certcentral wrongly handles acme.errors.ValidationError exception
T207725: Check challenges status on LE side before finalizing the order and fetching the certificate
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2018, 5:48 PM

Change 472487 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Stop using acme.client.poll_and_finalize()

https://gerrit.wikimedia.org/r/472487

Change 472487 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Stop using acme.client.poll_and_finalize()

https://gerrit.wikimedia.org/r/472487

Change 472621 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.6

https://gerrit.wikimedia.org/r/472621

Change 472621 merged by Vgutierrez:
[operations/software/certcentral@master] Release 0.6

https://gerrit.wikimedia.org/r/472621

Change 472624 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Stop using acme.client.poll_and_finalize()

https://gerrit.wikimedia.org/r/472624

Change 472625 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.6

https://gerrit.wikimedia.org/r/472625

Change 472624 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Stop using acme.client.poll_and_finalize()

https://gerrit.wikimedia.org/r/472624

Change 472625 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.6

https://gerrit.wikimedia.org/r/472625

Change 472626 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.6 to changelog

https://gerrit.wikimedia.org/r/472626

Change 472626 merged by Vgutierrez:
[operations/software/certcentral@debian] debian: Add release 0.6 to changelog

https://gerrit.wikimedia.org/r/472626

Test results against LE staging environment are really promising:

certcentral1001
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: SIGHUP received
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Missing/invalid DNS zone updater CMD timeout, using the default one: 60.00
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Number of certificates per status: Counter({'INITIAL': 2})
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Creating initial self-signed certificate for pinkunicorn / rsa-2048
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Creating initial self-signed certificate for pinkunicorn / ec-prime256v1
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Starting main loop...
Nov 09 12:05:31 certcentral1001 certcentral-backend[30803]: Handling new certificate event for pinkunicorn / rsa-2048
Nov 09 12:05:33 certcentral1001 certcentral-backend[30803]: Skipping challenge validation for certificate pinkunicorn / rsa-2048
Nov 09 12:05:33 certcentral1001 certcentral-backend[30803]: Handling new certificate event for pinkunicorn / ec-prime256v1
Nov 09 12:05:33 certcentral1001 certcentral-backend[30803]: Skipping challenge validation for certificate pinkunicorn / ec-prime256v1
Nov 09 12:05:38 certcentral1001 certcentral-backend[30803]: Handling pushed challenges event for pinkunicorn / rsa-2048
Nov 09 12:05:39 certcentral1001 certcentral-backend[30803]: Handling order finalized event for pinkunicorn / rsa-2048
Nov 09 12:05:40 certcentral1001 certcentral-backend[30803]: Pushing the new certificate for pinkunicorn / rsa-2048
Nov 09 12:05:40 certcentral1001 certcentral-backend[30803]: Handling pushed challenges event for pinkunicorn / ec-prime256v1
Nov 09 12:05:41 certcentral1001 certcentral-backend[30803]: Handling order finalized event for pinkunicorn / ec-prime256v1
Nov 09 12:05:43 certcentral1001 certcentral-backend[30803]: Pushing the new certificate for pinkunicorn / ec-prime256v1
certcentral2001
Nov 09 12:05:30 certcentral2001 certcentral-backend[3275]: SIGHUP received
Nov 09 12:05:30 certcentral2001 certcentral-backend[3275]: Missing/invalid DNS zone updater CMD timeout, using the default one: 60.00
Nov 09 12:05:30 certcentral2001 certcentral-backend[3275]: Number of certificates per status: Counter({'INITIAL': 2})
Nov 09 12:05:30 certcentral2001 certcentral-backend[3275]: Creating initial self-signed certificate for pinkunicorn / ec-prime256v1
Nov 09 12:05:30 certcentral2001 certcentral-backend[3275]: Creating initial self-signed certificate for pinkunicorn / rsa-2048
Nov 09 12:05:31 certcentral2001 certcentral-backend[3275]: Starting main loop...
Nov 09 12:05:31 certcentral2001 certcentral-backend[3275]: Handling new certificate event for pinkunicorn / ec-prime256v1
Nov 09 12:05:32 certcentral2001 certcentral-backend[3275]: Skipping challenge validation for certificate pinkunicorn / ec-prime256v1
Nov 09 12:05:32 certcentral2001 certcentral-backend[3275]: Handling new certificate event for pinkunicorn / rsa-2048
Nov 09 12:05:33 certcentral2001 certcentral-backend[3275]: Skipping challenge validation for certificate pinkunicorn / rsa-2048
Nov 09 12:05:38 certcentral2001 certcentral-backend[3275]: Handling pushed challenges event for pinkunicorn / ec-prime256v1
Nov 09 12:05:39 certcentral2001 certcentral-backend[3275]: Handling order finalized event for pinkunicorn / ec-prime256v1
Nov 09 12:05:40 certcentral2001 certcentral-backend[3275]: Pushing the new certificate for pinkunicorn / ec-prime256v1
Nov 09 12:05:40 certcentral2001 certcentral-backend[3275]: Handling pushed challenges event for pinkunicorn / rsa-2048
Nov 09 12:05:43 certcentral2001 certcentral-backend[3275]: Handling order finalized event for pinkunicorn / rsa-2048
Nov 09 12:05:44 certcentral2001 certcentral-backend[3275]: Pushing the new certificate for pinkunicorn / rsa-2048

Change 472676 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] acme_requests: Fix finalize_order() exception handling

https://gerrit.wikimedia.org/r/472676

Change 472676 merged by jenkins-bot:
[operations/software/certcentral@master] acme_requests: Fix finalize_order() exception handling

https://gerrit.wikimedia.org/r/472676

Change 473754 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.7

https://gerrit.wikimedia.org/r/473754

Change 473754 merged by jenkins-bot:
[operations/software/certcentral@master] Release 0.7

https://gerrit.wikimedia.org/r/473754

Change 473757 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] acme_requests: Fix finalize_order() exception handling

https://gerrit.wikimedia.org/r/473757

Change 473758 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.7

https://gerrit.wikimedia.org/r/473758

Change 473759 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.7 to changelog

https://gerrit.wikimedia.org/r/473759

Change 473757 merged by jenkins-bot:
[operations/software/certcentral@debian] acme_requests: Fix finalize_order() exception handling

https://gerrit.wikimedia.org/r/473757

Change 473758 merged by jenkins-bot:
[operations/software/certcentral@debian] Release 0.7

https://gerrit.wikimedia.org/r/473758

Change 473759 merged by jenkins-bot:
[operations/software/certcentral@debian] debian: Add release 0.7 to changelog

https://gerrit.wikimedia.org/r/473759

Mentioned in SAL (#wikimedia-operations) [2018-11-16T05:47:47Z] <vgutierrez> uploaded certcentral 0.7 to apt.wikimedia.org (stretch) - T208967 T209475

Vgutierrez closed this task as Resolved.Tue, Nov 20, 4:55 PM
Vgutierrez triaged this task as Normal priority.
Vgutierrez removed a project: Patch-For-Review.