Failure to manually generate course certificate due to "USERID does not have a verified id"

I manually added my test student to my class exception list, as I have done for 2 other classes in which they successfully were granted completion certificates. In this new class however, when I try to generate the certificate it doesn’t work. In the tutor logs (I’m running Lilac), I see:

lms-worker_1     | 2021-11-05 14:17:41,592 WARNING 454 [edx_toggles.toggles.internal.waffle.flag] [user None] [ip None] flag.py:79 - Flag 'certificates_revamp.use_allowlist' accessed without a request
lms-worker_1     | 2021-11-05 14:17:41,596 INFO 454 [lms.djangoapps.certificates.generation_handler] [user None] [ip None] generation_handler.py:162 - USERID : COURSEID is on the certificate allowlist
lms-worker_1     | 2021-11-05 14:17:41,607 INFO 454 [lms.djangoapps.certificates.generation_handler] [user None] [ip None] generation_handler.py:227 - USERID does not have a verified id. Certificate cannot be generated for COURSEID.
lms-worker_1     | 2021-11-05 14:17:41,607 INFO 454 [lms.djangoapps.certificates.generation_handler] [user None] [ip None] generation_handler.py:165 - One of the common checks failed. Allowlist certificate cannot be generated for USERID : COURSEID.
lms-worker_1     | 2021-11-05 14:17:41,608 INFO 454 [lms.djangoapps.certificates.generation_handler] [user None] [ip None] generation_handler.py:110 - Cannot generate an allowlist certificate for USERID : COURSEID

Any ideas why the “USERID does not have a verified id” would fire, and how I can get around it?

I added more users and this fails for all of them too. So I’m thinking maybe it’s an error in the setup of my certificates. I added the class as an honor-mode course under Django → Course Modes, like I did with other classes, so I don’t think it’s that. Any suggestions on other ways to debug certificate issues?

Interestingly when I look at my Django interface it shows “Recent actions” and one of those actions seems to be adding certificates_revamp.use_allowlist to flags. But I don’t remember doing this, and googling for it shows there’s only 3 hits:

  1. The Maple documentation about it being removed (I’m not on Maple, I’m on Lilac and haven’t upgraded AFAIK.)
  2. This thread
  3. The source .py script

I would only think I would have added “certificates_revamp.use_allowlist” if I was directed to do so by some forum post. But if I can’t find any forum posts anywhere that mention it other than this one…Am I hacked? :slight_smile: Does Tutor just add this by default? Is it safe to delete this?

@jhynes @crice since I see you listed on this page: edx-platform/001-allowlist-cert-requirements.rst at master · edx/edx-platform · GitHub

can you explain what “The user must have an approved, unexpired, ID verification” means, because that’s where I’m getting an error, and I need to figure out why my user’s are getting the “does not have a verified id” error so I can try to fix it. (I know that at least my test user is definitely fully verified on the platform. I would also note that many of these users have had manually-issued certs for past classes too. So manual cert issuance was working in the past but I can’t figure out why it’s not now for this new class. I would also note that I have set the default enrollment to honor, as discussed here: "Certificates" submenu missing in Django admin - #2 by regis - Open edX - Overhang.IO, and I see everyone enrolled in honor for this honor certificate, so I don’t think it should be something to do with honor status…)

Hi Rohan!

That error is referring to the ID verification requirement when generating an AllowList certificate for a user. These are created/managed by the verify_student Django app.

If you add an approved manual verification entry (http://<django_admin_url>/admin/verify_student/manualverification/) for one of your users does it allow you to then generate the certificate?

Couple of pieces I want to verify and curious about:

  • The course-run is setup to award Honor certificates
  • You are running the Lilac release
  • Did you recently update to the Lilac release? You said you didn’t have this issue previously, correct?

Thanks for any additional information you can provide!

Yes, apparently adding an approved manual verification for my test user does allow me to generate a certificate!

Can you explain why that became required?

And is there a way to add multiple students at once? (Because I typically have some beta testers who go through a class and thus can’t get certificates automatically in open edx apparently, so I then need to issue them manually.)

And is that going to prevent non-manually-allowlisted students from getting certificates too?

Re the other questions:

  1. Yes, the course run is set to award Honor certificates, and the default enrollment type is set to Honor
  2. Yes, I’m running Lilac
  3. I upgraded to Lilac on 2021-08-24, which also is apparently when I added the “certificates_revamp.use_allowlist” waffle flag (so I must have found it recommended somewhere…but I have no idea where.)

This is my first class since the Lilac upgrade, so it is possible that it was working on Koa and not working on Lilac and I didn’t discover it until now.

Thank you for the additional information.

I’m not aware of a way to add multiple students at once. If I find a way, I will share it.

I’m going to dig into this a bit. I need to remind myself what the Lilac codebase looks like (sorry, it’s been a bit since the release and there have been additional changes and cleanup for the Maple release).

As a workaround, you can remove the certificates_revamp.use_allowlist waffle flag. In Lilac this was optional if you wanted to take advantage of the new behavior. Removing this flag will allow you to fall back to the old behavior/code path and may unblock you.

Thank you for confirming it’s safe to remove “certificates_revamp.use_allowlist”. I did that and I could then issue certificates for all students!

No worries, thanks for the confirmation it’s a usable workaround right now.

The new AllowList behavior was opt-in in Lilac but is the default in Maple. I am checking now to see if we have something we need to fix in Maple.

Thanks for the heads up!

OK, I think there is definitely a bug here now. I found the forum posts which told me to use “certificates_revamp.use_allowlist”, it was apparently this one (no idea why that wasn’t showing up on Discuss search hits before, but it does now). Because I was also having the experience that if I didn’t have that, certificates would disappear. Now that I’ve removed it, I am once again back to certs disappearing…and it actually broke all the manually-issued certs in some classes :’( (I think they only break if someone goes and manually requests the cert…but it might also be if someone else completes the class. I’m not sure.)

so tl;dr: with “certificates_revamp.use_allowlist”, certs can’t be issued. Without it, they break post-issuance.

cc @crice who apparently made the suggestion to add “certificates_revamp.use_allowlist” in that thread.

Ah, thanks for the additional information, Rohan. I am sorry this has been such a thorn in your side.

I found the defect late last week and have a fix but still have some testing cycles to go through.

For clarification, the issue when using the new behavior (when the certificates_revamp.use_allowlist waffle flag is enabled) is with the generation of Honor certificates, not all certificates.

P.S. Unfortunately, crice is no longer with us over here. I’ll be working to fix the issue and will let you know when I have more to share.

Hi @Rohan,

I just wanted to give you a quick update. I believe I found where the issue is and have back-ported a fix to the Maple release that hopefully will fix this issue in the next release. Maple isn’t available yet (but I believe it should be available in December).

Thank you for the additional information, it helped narrow down the issue.

Best,
Justin