I'm trying to create pull request for the certes client to support the alternate link relation. So the idea is the following:
- I can optionally specify the desired root certificate issuer (similar to the
- I download the certificate from its default location
- Check if the headers contain alternate links
- Download the certificate from the alternate links
- Check if one of them matches the preferred issuer
The problem is with Step 4:
When I download the certificate from its default location, the response headers contain a new
Replay-Nonce. For downloading the certificate from the alternate link, I create a new JWS payload with the alternate location and this new nonce. Nonetheless I always receive a badNonce error. I also tried to generate a new nonce via the newNonceEndpoint. But also using this new nonce results in a badNonce error.
In step 2 I can replace the default location with the alternate link (ie typically just append
/1) for testing purposes. Then the request works. The request also works if I don't use the nonce from the previous response but generate a new one from the newNonceEndpoint.
There are no other requests to the server between 2) and 4), so in my understanding in step 4) I have use the nonce received in step 2). In that library the HttpClient is extended to do just this, ie extract the Replay-Nonce header from a response and use this value in the next request.
I also tried to look at the respective pullrequest for certbot. I don't really speak python. But from my understanding, it's the same here. While processing a request, store the Replay-Nonce header from the result and use it as a nonce in the next request.
Am I misunderstanding something here? Any help is appreciated. Thanks.