Acme.sh works with "--staging" but without comes "JWS has invalid anti-replay nonce"

zmi · August 26, 2017, 11:54am

We use acme.sh a lot, but now I have a strange behaviour and don’t find the issue. For domain “sa.zmi.at” I run the script with “–staging” and it works always:

/backup/scripts_multihost/.acme.sh/acme.sh --home /backup/scripts_multihost/.acme.sh/ --issue -d sa.zmi.at -w /www/zmi.at.sa --debug --staging --force

http s://github.com/Neilpang/acme.sh
v2.5.0
[Sat Aug 26 13:40:50 CEST 2017] Lets guess script dir.
[Sat Aug 26 13:40:50 CEST 2017] SCRIPT=’/backup/scripts_multihost/.acme.sh/acme.sh’
[Sat Aug 26 13:40:50 CEST 2017] _script=’/backup/scripts_multihost/.acme.sh/acme.sh’
[Sat Aug 26 13:40:50 CEST 2017] _script_home=’/backup/scripts_multihost/.acme.sh’
[Sat Aug 26 13:40:50 CEST 2017] Using stage api:http s://acme-staging.api.letsencrypt.org
[Sat Aug 26 13:40:50 CEST 2017] DOMAIN_PATH=’/backup/scripts_multihost/.acme.sh//sa.zmi.at’
[Sat Aug 26 13:40:50 CEST 2017] Le_NextRenewTime=‘1510648781’
[Sat Aug 26 13:40:50 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘no’
[Sat Aug 26 13:40:50 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘tls’
[Sat Aug 26 13:40:50 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘apache’
[Sat Aug 26 13:40:50 CEST 2017] RSA key
[Sat Aug 26 13:40:50 CEST 2017] Registering account
[Sat Aug 26 13:40:50 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-reg’
[Sat Aug 26 13:40:50 CEST 2017] payload=’{“resource”: “new-reg”, “agreement”: “http s://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf”}’
[Sat Aug 26 13:40:50 CEST 2017] RSA key
[Sat Aug 26 13:40:51 CEST 2017] GET
[Sat Aug 26 13:40:51 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/directory’
[Sat Aug 26 13:40:51 CEST 2017] timeout
[Sat Aug 26 13:40:51 CEST 2017] _CURL=‘curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header ‘
[Sat Aug 26 13:40:51 CEST 2017] ret=‘0’
[Sat Aug 26 13:40:51 CEST 2017] POST
[Sat Aug 26 13:40:51 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-reg’
[Sat Aug 26 13:40:51 CEST 2017] _CURL=‘curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header ‘
[Sat Aug 26 13:40:52 CEST 2017] _ret=‘0’
[Sat Aug 26 13:40:52 CEST 2017] code=‘409’
[Sat Aug 26 13:40:52 CEST 2017] Already registered
[Sat Aug 26 13:40:52 CEST 2017] Read key length:
[Sat Aug 26 13:40:52 CEST 2017] _createcsr
[Sat Aug 26 13:40:52 CEST 2017] Single domain=‘sa.zmi.at’
[Sat Aug 26 13:40:52 CEST 2017] Verify each domain
[Sat Aug 26 13:40:52 CEST 2017] Getting webroot for domain=‘sa.zmi.at’
[Sat Aug 26 13:40:52 CEST 2017] _w=’/www/zmi.at.sa’
[Sat Aug 26 13:40:52 CEST 2017] _currentRoot=’/www/zmi.at.sa’
[Sat Aug 26 13:40:52 CEST 2017] Getting token for domain=‘sa.zmi.at’
[Sat Aug 26 13:40:52 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-authz’
[Sat Aug 26 13:40:52 CEST 2017] payload=’{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “sa.zmi.at”}}’
[Sat Aug 26 13:40:52 CEST 2017] RSA key
[Sat Aug 26 13:40:53 CEST 2017] GET
[Sat Aug 26 13:40:53 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/directory’
[Sat Aug 26 13:40:53 CEST 2017] timeout
[Sat Aug 26 13:40:53 CEST 2017] _CURL=‘curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header ‘
[Sat Aug 26 13:40:53 CEST 2017] ret=‘0’
[Sat Aug 26 13:40:53 CEST 2017] POST
[Sat Aug 26 13:40:53 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-authz’
[Sat Aug 26 13:40:54 CEST 2017] _CURL=‘curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header ‘
[Sat Aug 26 13:40:54 CEST 2017] _ret=‘0’
[Sat Aug 26 13:40:54 CEST 2017] code=‘201’
[Sat Aug 26 13:40:54 CEST 2017] entry=’“type”:“http-01”,“status”:“valid”,“uri”:“http s://acme-staging.api.letsencrypt.org/acme/challenge/xBrWjdwSJ-MFShrk3LfNh0sLNY1zMvZH0FEgGVQOYME/55291773”,“token”:“OG6Ir81xPE_f3mHjqdvXUavcIl2X8YPCwzW6z5L36zE”,“keyAuthorization”:“OG6Ir81xPE_f3mHjqdvXUavcIl2X8YPCwzW6z5L36zE._4Yeqbc17b0iI6eo5phuilLj6mVWMALZuss2b1CQn9o”,“validationRecord”:[{“url”:“http ://sa.zmi.at/.well-known/acme-challenge/OG6Ir81xPE_f3mHjqdvXUavcIl2X8YPCwzW6z5L36zE”,“hostname”:“sa.zmi.at”,“port”:“80”,“addressesResolved”:[“212.69.164.58”],“addressUsed”:“212.69.164.58”,“addressesTried”:[]’
[Sat Aug 26 13:40:54 CEST 2017] token=‘OG6Ir81xPE_f3mHjqdvXUavcIl2X8YPCwzW6z5L36zE’
[Sat Aug 26 13:40:54 CEST 2017] uri=‘http s://acme-staging.api.letsencrypt.org/acme/challenge/xBrWjdwSJ-MFShrk3LfNh0sLNY1zMvZH0FEgGVQOYME/55291773’
[Sat Aug 26 13:40:54 CEST 2017] keyauthorization=‘OG6Ir81xPE_f3mHjqdvXUavcIl2X8YPCwzW6z5L36zE._4Yeqbc17b0iI6eo5phuilLj6mVWMALZuss2b1CQn9o’
[Sat Aug 26 13:40:54 CEST 2017] sa.zmi.at is already verified, skip.
[Sat Aug 26 13:40:54 CEST 2017] keyauthorization=‘verified_ok’
[Sat Aug 26 13:40:54 CEST 2017] dvlist=‘sa.zmi.at#verified_ok#http s://acme-staging.api.letsencrypt.org/acme/challenge/xBrWjdwSJ-MFShrk3LfNh0sLNY1zMvZH0FEgGVQOYME/55291773#http-01#/www/zmi.at.sa’
[Sat Aug 26 13:40:54 CEST 2017] sa.zmi.at is already verified, skip http-01.
[Sat Aug 26 13:40:54 CEST 2017] ok, let’s start to verify
[Sat Aug 26 13:40:54 CEST 2017] sa.zmi.at is already verified, skip http-01.
[Sat Aug 26 13:40:54 CEST 2017] pid
[Sat Aug 26 13:40:54 CEST 2017] Verify finished, start to sign.
[Sat Aug 26 13:40:54 CEST 2017] i=‘2’
[Sat Aug 26 13:40:54 CEST 2017] j=‘14’
[Sat Aug 26 13:40:54 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-cert’
[Sat Aug 26 13:40:54 CEST 2017] payload=’{“resource”: “new-cert”, “csr”: “MIICWTCCAUECAQAwFDESMBAGA1UEAxMJc2Euem1pLmF0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7vUhD0SMKmbj4Qh_Q4UDjaXEgevP_SFOxXYvFN9isQws0MrYQsfxs6tDrCsKbqP6vP2J6LA4TM0qrIgEY8V6aiXoEXheXrAvLhbBJbeCXbu196bVOaA0b63lOAHSgtk65cwLNwtEAAsPNUFoJ5xcPrfkvy4a28ECerEwokFgW7TtR0rn-fkfbEFh6RGMvEF8ET6-4Tr5c865RsbFj-PqSVm41JNDOc6q7NwRy4FMV5NXUrvOmVGyY5PcmqyHM5gWf8swDapYdy6ccm3TKJAnJY39QytIglybkLBWZqm94no832DVoyycWy4X4oShHLieYrY2M8FK4W9r3yWZgE35vQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE6QmRPQrc-HcGbcvifYHQOdivr6kG8v2b6dyR9SrSx38btL35lKCA3-DiBP-zUe_CI0xS1Cx8RaUpEFEVsBGggNb7t3tWQVHSiiY4Mtvz1FTLtZx43kzzv65GRbqN7xwMIJbfguxmDszji_3K3RpiYnBmM6h_lMlI8ABb7-LroOp8UBWMEg5vbJ13yovbDhNxZIu1QxL0oJlZTRFHWlbxKVIxiXCy-V1ZdzLE1vxvklr0-Hq7c9bBO4FCu4LojyM0wOz6zGZdBkXXOorh18vKMH73lzVt1A_ECoI1S_1PjIGSrYNaMLwetCTPxNiRJ4GJ1ZyZQgQvZK-AC8v21EJb4”}’
[Sat Aug 26 13:40:55 CEST 2017] RSA key
[Sat Aug 26 13:40:55 CEST 2017] GET
[Sat Aug 26 13:40:55 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/directory’
[Sat Aug 26 13:40:55 CEST 2017] timeout
[Sat Aug 26 13:40:55 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:40:56 CEST 2017] ret=‘0’
[Sat Aug 26 13:40:56 CEST 2017] POST
[Sat Aug 26 13:40:56 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/new-cert’
[Sat Aug 26 13:40:56 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:40:56 CEST 2017] _ret=‘0’
[Sat Aug 26 13:40:56 CEST 2017] code=‘201’
[Sat Aug 26 13:40:56 CEST 2017] GET
[Sat Aug 26 13:40:56 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/cert/faa43dda5b2b7f916b3742a98958b397cff8’
[Sat Aug 26 13:40:56 CEST 2017] timeout
[Sat Aug 26 13:40:56 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:40:57 CEST 2017] ret=‘0’
[Sat Aug 26 13:40:57 CEST 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE1jCCA76gAwIBAgITAPqkPdpbK3+RazdCqYlYs5fP+DANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNzA4MjYx
MDQxMDBaFw0xNzExMjQxMDQxMDBaMBQxEjAQBgNVBAMTCXNhLnptaS5hdDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO71IQ9EjCpm4+EIf0OFA42lxIHr
z/0hTsV2LxTfYrEMLNDK2ELH8bOrQ6wrCm6j+rz9ieiwOEzNKqyIBGPFemol6BF4
Xl6wLy4WwSW3gl27tfem1TmgNG+t5TgB0oLZOuXMCzcLRAALDzVBaCecXD635L8u
GtvBAnqxMKJBYFu07UdK5/n5H2xBYekRjLxBfBE+vuE6+XPOuUbGxY/j6klZuNST
QznOquzcEcuBTFeTV1K7zplRsmOT3JqshzOYFn/LMA2qWHcunHJt0yiQJyWN/UMr
SIJcm5CwVmapveJ6PN9g1aMsnFsuF+KEoRy4nmK2NjPBSuFva98lmYBN+b0CAwEA
AaOCAhEwggINMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTMXHk+YyVGhya3c0Nlyp
aksNdMUwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDowdwYIKwYBBQUH
AQEEazBpMDIGCCsGAQUFBzABhiZodHRwOi8vb2NzcC5zdGctaW50LXgxLmxldHNl
bmNyeXB0Lm9yZzAzBggrBgEFBQcwAoYnaHR0cDovL2NlcnQuc3RnLWludC14MS5s
ZXRzZW5jcnlwdC5vcmcvMBQGA1UdEQQNMAuCCXNhLnptaS5hdDCB/gYDVR0gBIH2
MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMg
Q2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQ
YXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNh
dGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9z
aXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBJkOp2B3zbY8fF03roQ1B/cujsdhJG
85qtvQDKnP+ruqorC6YDFqObeqboaoE5B1052MGrEk9noeEhwGJnkCgxLk5eXAnA
o+oc/Vq4wk6thv/gkVBpeHgtC16mygJuKXN9Tok0jfxKSRUqtvpVG+nRd5QgBVe7
qLe6sGPDILjM+P48Mlu6706GrGxxEYnt5qH+x43hyGFKjIDAq+YN2JnLdVy/ZAbA
f8KYB+G7S0mvthUyf+kEcVu2H64rgcxLxb6p2IFCHzenRN9+lZyC3HX/SKbIIN7s
jTGf/kQoWnHicWjWerQuxOXVd4/magZOiIahMU+8AH/nnWwXm5fKHvVd
-----END CERTIFICATE-----
[Sat Aug 26 13:40:57 CEST 2017] Your cert is in /backup/scripts_multihost/.acme.sh//sa.zmi.at/sa.zmi.at.cer
[Sat Aug 26 13:40:57 CEST 2017] Your cert key is in /backup/scripts_multihost/.acme.sh//sa.zmi.at/sa.zmi.at.key
[Sat Aug 26 13:40:57 CEST 2017] Using sed -i
[Sat Aug 26 13:40:57 CEST 2017] GET
[Sat Aug 26 13:40:57 CEST 2017] url=‘http s://acme-staging.api.letsencrypt.org/acme/issuer-cert’
[Sat Aug 26 13:40:57 CEST 2017] timeout
[Sat Aug 26 13:40:57 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:40:57 CEST 2017] ret=‘0’
[Sat Aug 26 13:40:57 CEST 2017] The intermediate CA cert is in /backup/scripts_multihost/.acme.sh//sa.zmi.at/ca.cer
[Sat Aug 26 13:40:57 CEST 2017] And the full chain certs is there: /backup/scripts_multihost/.acme.sh//sa.zmi.at/fullchain.cer
[Sat Aug 26 13:40:57 CEST 2017] Using sed -i
[Sat Aug 26 13:40:57 CEST 2017] Using sed -i

But then I call the same script without --staging, and always get “JWS has invalid anti-replay nonce”:

/backup/scripts_multihost/.acme.sh/acme.sh --home /backup/scripts_multihost/.acme.sh/ --issue -d sa.zmi.at -w /www/zmi.at.sa --debug --force

http s://github.com/Neilpang/acme.sh
v2.5.0
[Sat Aug 26 13:48:21 CEST 2017] Lets guess script dir.
[Sat Aug 26 13:48:21 CEST 2017] SCRIPT=’/backup/scripts_multihost/.acme.sh/acme.sh’
[Sat Aug 26 13:48:21 CEST 2017] _script=’/backup/scripts_multihost/.acme.sh/acme.sh’
[Sat Aug 26 13:48:21 CEST 2017] _script_home=’/backup/scripts_multihost/.acme.sh’
[Sat Aug 26 13:48:21 CEST 2017] DOMAIN_PATH=’/backup/scripts_multihost/.acme.sh//sa.zmi.at’
[Sat Aug 26 13:48:21 CEST 2017] Le_NextRenewTime=‘1510659657’
[Sat Aug 26 13:48:21 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘no’
[Sat Aug 26 13:48:21 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘tls’
[Sat Aug 26 13:48:21 CEST 2017] ‘/www/zmi.at.sa’ does not contain ‘apache’
[Sat Aug 26 13:48:21 CEST 2017] RSA key
[Sat Aug 26 13:48:22 CEST 2017] Registering account
[Sat Aug 26 13:48:22 CEST 2017] url=‘http s://acme-v01.api.letsencrypt.org/acme/new-reg’
[Sat Aug 26 13:48:22 CEST 2017] payload=’{“resource”: “new-reg”, “agreement”: “http s://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf”}’
[Sat Aug 26 13:48:22 CEST 2017] RSA key
[Sat Aug 26 13:48:23 CEST 2017] GET
[Sat Aug 26 13:48:23 CEST 2017] url=‘http s://acme-v01.api.letsencrypt.org/directory’
[Sat Aug 26 13:48:23 CEST 2017] timeout
[Sat Aug 26 13:48:23 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:48:23 CEST 2017] ret=‘0’
[Sat Aug 26 13:48:23 CEST 2017] POST
[Sat Aug 26 13:48:23 CEST 2017] url=‘http s://acme-v01.api.letsencrypt.org/acme/new-reg’
[Sat Aug 26 13:48:23 CEST 2017] _CURL='curl -L --silent --dump-header /backup/scripts_multihost/.acme.sh//http.header '
[Sat Aug 26 13:48:24 CEST 2017] _ret=‘0’
[Sat Aug 26 13:48:24 CEST 2017] code=‘400’
[Sat Aug 26 13:48:24 CEST 2017] Register account Error: {“type”:“urn:acme:error:badNonce”,“detail”:“JWS has invalid anti-replay nonce GQJzrESCdlHIn65IdJ26ktrbVrmKkwzcbDlVEOxxIg4”,“status”: 400}
[Sat Aug 26 13:48:24 CEST 2017] pid

The same issue happens when I upgrade acme.sh from 2.5.0 to 2.7.3, to that’s not the problem. Any ideas?

zmi · August 27, 2017, 9:53pm

sorry I had to replace every https by “http s” because “the number of links are limited for new people”

Neilpang · August 28, 2017, 2:36am

report issues at github issues.
And paste your --debug 2 log there.

zmi · September 1, 2017, 6:42am

reported: https://github.com/Neilpang/acme.sh/issues/998
closing here

system · October 1, 2017, 6:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.