badNonce error with alternate link relation

Hi there,

I'm trying to create pull request for the certes client to support the alternate link relation. So the idea is the following:

  1. I can optionally specify the desired root certificate issuer (similar to the --preferred-chain of certbot)
  2. I download the certificate from its default location
  3. Check if the headers contain alternate links
  4. Download the certificate from the alternate links
  5. Check if one of them matches the preferred issuer

The problem is with Step 4:

When I download the certificate from its default location, the response headers contain a new Replay-Nonce. For downloading the certificate from the alternate link, I create a new JWS payload with the alternate location and this new nonce. Nonetheless I always receive a badNonce error. I also tried to generate a new nonce via the newNonceEndpoint. But also using this new nonce results in a badNonce error.

In step 2 I can replace the default location with the alternate link (ie typically just append /1) for testing purposes. Then the request works. The request also works if I don't use the nonce from the previous response but generate a new one from the newNonceEndpoint.

There are no other requests to the server between 2) and 4), so in my understanding in step 4) I have use the nonce received in step 2). In that library the HttpClient is extended to do just this, ie extract the Replay-Nonce header from a response and use this value in the next request.

I also tried to look at the respective pullrequest for certbot. I don't really speak python. But from my understanding, it's the same here. While processing a request, store the Replay-Nonce header from the result and use it as a nonce in the next request.

Am I misunderstanding something here? Any help is appreciated. Thanks.

3 Likes

I don't believe you're misunderstanding anything. The fact that fetching the alternate certificate works the when using the alternate link indicates to me that the something isn't working in your jws or how you're storing/setting the nonce.

When you say "constructing the jws" & "downloading the certificate", are you re-using any existing code to do this, or are you making something new? Are you performing these tests against the staging endpoint or a locally running acme server?

Might need some examples of your code for insight to help further.

3 Likes

Hi @wiggisser

the badNonce error: Has that header a new nonce?

If yes, try it again with that nonce.

2 Likes

@JuergenAuer @eggsampler Thanks guys for your answers and your suggestions. But seems I'm just dumb ... :frowning: I had a c&p error in the second request and sent the wrong payload object. I swear I double- and triplechecked that, and yet it slipped trough. It's working now ...

3 Likes

Happens to the best of us, my friend. No worries. :slightly_smiling_face:

2 Likes

Glad I checked this thread, I was planning to start on this next week (for certes) :slight_smile: - I'll be submitting a certes PR for external account binding soon.

2 Likes

I think, I'll be able to submit this PR by the weekend. It's working right now, but I still have to update the tests ...

2 Likes