RFC 8555, "Automatic Certificate Management Environment (ACME)", March 2019Source of RFC: acme (sec)
Errata ID: 6317
Publication Format(s) : TEXT
Reported By: Matthew Holt
Date Reported: 2020-10-23
Section 7.5.1 says:
The server is said to "finalize" the authorization when it has completed one of the validations.
It should say:
The server is said to "finalize" the authorization when it has successfully completed one of the validations or failed all of them.
The current handling of failed challenges is ambiguous, or at least inefficient.
To get a certificate, a client creates an Order. The client then has to validate all Authorizations ("authzs"). For each Authorization, the client needs to successfully complete one of the offered Challenges. One successful Challenge is sufficient to validate the authz. However, currently in practice, one failed Challenge is sufficient to invalidate the authz, and thus the entire Order. To try another Challenge, the client then has to first deactivate the other Authorizations (expensive) and create a new Order (also expensive), then repeat the whole process, remembering what was already tried.
It is proposed that an Authorization MUST NOT be finalized until all possible challenges have failed. The client could then simply try the next Challenge. In other words, a single failed Challenge should not invalidate an authz; an authz should be "pending" until all offered challenges have failed or one has succeeded.
The spec should be clear that a single failed challenge is not sufficient to finalize an authz which has multiple possible challenges.
ACME servers see many, many failed validations. ACME clients need to keep more state. This change will speed up ACME transactions, lower costs for CAs, reduce code complexity, and make ACME more reliable on the whole.
Real-world experience: https://github.com/mholt/acmez/commit/80adb6d5e64a3d36a56c58c66965b131ea366b8c
Mailing list discussion: https://mailarchive.ietf.org/arch/msg/acme/wIHaqikTCZ59zrWsUUus8lZ4VSg/