Cannot add 36th SAN for certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

I ran this command: I wanted to add one more domain.

It produced this output:
HTTP/2 400
server: nginx
date: Tue, 05 Dec 2023 09:42:44 GMT
content-type: application/problem+json
content-length: 177
boulder-requester: 1449151366
cache-control: public, max-age=0, no-cache
replay-nonce: V03LKs9TFvBPTphz8UsRU_Jut6QV5-xUEfzg4ewDDbXCwEyLG3Y

"type": "urn:ietf:params:acme:error:badNonce",
"detail": "JWS has an invalid anti-replay nonce: "MGOHGLivtLXTjBaNWpEgVsnSh7oWw8V92NP9iSdoR_sXgx2Zp2s"",
"status": 400


My web server is (include version): nginx / 1.22.1

The operating system my web server runs on is (include version): Ubuntu 20.04.5

My hosting provider, if applicable, is:DigitalOcean, provisioned by Laravel Forge.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Laravel Forge

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using

This sounds pretty clear to me.

As for why dehydrated is doing this, I have no idea.


Yeah, that's usually an error that the ACME client just retries and all is well.

Have you gotten this problem more than once? Have you tried in the staging environment?


Are you getting all those names on one single cert?
If so, do you really need to use one single cert?


Dehydrated should automatically try again when encountering an invalid anti-replay nonce error. Maybe you're running an outdated version of dehydrated? Unfortunately you didn't specify the version you're using.

You also might consider using a wildcard certificate for * with all those subdomains. It would require using the dns-01 challenge though and I'm not sure if LinQhost has an API to add and remove the required TXT records automatically. Otherwise you might be able to run your own intstance of acme-dns, which would only require a static CNAME in the zone.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.