acme.sh not handling all status mentioned in RFC 8555

[rkorn86]

According to RFC 8555 - Applying for Certificate Issuance there can be 5 status in a successful response to an request to finalize an order:

If a request to finalize an order is successful, the server will return a 200 (OK) with an updated order object. The status of the order will indicate what action the client should take:

• "invalid": The certificate will not be issued. Consider this order process abandoned.
• "pending": The server does not believe that the client has fulfilled the requirements. Check the "authorizations" array for entries that are still pending.
• "ready": The server agrees that the requirements have been fulfilled, and is awaiting finalization. Submit a finalization request.
• "processing": The certificate is being issued. Send a POST-as-GET request after the time given in the Retry-After header field of the response, if any.
• "valid": The server has issued the certificate and provisioned its URL to the "certificate" field of the order. Download the certificate.

ACME.sh handles valid and processing only. See

acme.sh/acme.sh

Lines 5175 to 5197 in 676d766

	if _contains "$response" "\"status\":\"valid\""; then
	_debug "Order status is valid."
	Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
	_debug Le_LinkCert "$Le_LinkCert"
	if [ -z "$Le_LinkCert" ]; then
	_err "A signing error occurred: could not find Le_LinkCert"
	_err "$response"
	_on_issue_err "$_post_hook"
	return 1
	fi
	break
	elif _contains "$response" "\"processing\""; then
	_info "Order status is 'processing', let's sleep and retry."
	_retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
	_debug "_retryafter" "$_retryafter"
	if [ "$_retryafter" ]; then
	_info "Sleeping for $_retryafter seconds then retrying"
	_sleep $_retryafter
	else
	_sleep 2
	fi
	else
	_err "Signing error: wrong status"

Issuing a cert via a CA using all these RFC status will result in

[Mon Jun 16 05:31:09 PM CEST 2025] Let's finalize the order.
[Mon Jun 16 05:31:09 PM CEST 2025] Le_OrderFinalize='https://acme.rfc-ca.com/acme/fd68e22d-9391-43b7-9c81-XXX/finalize/ed892dd3-a64f-4237-ba6a-YYY'
[Mon Jun 16 05:31:15 PM CEST 2025] Signing error: wrong status

Handling status: ready was sufficient for me, but the others should be handled too:

diff --git a/acme.sh b/acme.sh
index dd21785d..1e485e5b 100755
--- a/acme.sh
+++ b/acme.sh
@@ -5183,6 +5183,16 @@ $_authorizations_map"
         return 1
       fi
       break
+    elif _contains "$response" "\"ready\""; then
+      _info "Order status is 'ready', let's sleep and retry."
+      _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+      _debug "_retryafter" "$_retryafter"
+      if [ "$_retryafter" ]; then
+        _info "Sleeping for $_retryafter seconds then retrying"
+        _sleep $_retryafter
+      else
+        _sleep 2
+      fi
     elif _contains "$response" "\"processing\""; then
       _info "Order status is 'processing', let's sleep and retry."
       _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[Neilpang]

would you like to send your code as a PR?

[saudiqbal]

would you like to send your code as a PR?

There are so many needed PR waiting (#4457) and piling up and not being accepted, someone else needs to take over this project and develop this at a fast pace.