Challenge error: JWS has an invalid anit-replay nonce: ... status: 400


I am trying to issue a certificate for * and a few others. I use the DNS challenge with I just started getting the urn:ietf:params:acme:error:badNonce error, status 400.

I’ve turned off IPv6 entirely, so that’s not it. The nonce keeps changing each time it fails, so it’s definitely creating a new one. The DNS challenge waits only 2 minutes for TXT records to update, so it’s not sitting there forever. Anyway, as a result I cannot renew my certificates right now, but I’ve no idea what changed. I tried updating to the newest and no change.



Hi @JamesB7

your website uses a new Letsencrypt certificate ( ):
expires in 82 days	*, *,, - 4 entries

Did you use to create these certificates or Certbot?

Your TTL is 600 seconds.

That may happen if you use different outgoing ip addresses. But you have only one ip address. Do you use more then one internal instance?

Perhaps fix the ip of Letsencrypt with a hosts - entry.

My website for is able to retrieve certificates. I am using this on a different server, which hosts, and a few others, as well as the mail server. That is the one having trouble.

The CSR was created with OpenSSL. The certificates are retrieved with I do not use certbot.

For this server there is one IP address, yes.

When I run nslookup on, I get a different IP than that:

Non-authoritative answer: canonical name = canonical name =

There are (minimal) two situations with that error:

  • too long time between fetching and using a nonce - but 120 seconds are short
  • there is a pooling, so local address -> nonce pool 1, other address -> nonce pool 2

But if you have only one ip address ...?

So fixing the may help.

Is it possible that you reduce your TTL?

Or the error message is wrong, a bug somewhere else.

PS: You have your own nameservers.

What happens if you use 60 or 30 seconds to wait?

Use the test system to check that.

I’ve tried reducing the TTL to 30 seconds, no luck. Also adding the /etc/hosts entry.

I don’t use Are there additional debug options and a detailed log?

Perhaps there is another error and the badNonce-error is only a side effect.

I tried renewing the same domains on another server and got the same error. Is there any way to check if there is some kind of block on the domains, or…? Really at a loss here.

badNonce errors aren’t exactly errors, and come from a different layer of the stack that isn’t considering your domain or what type of challenge you’re using.

An ACME client should resend the request with the new nonce. does that, I think, but maybe it has a bug and isn’t doing so in this case.

I’m just guessing, but…

Are you using a recent version of What does “ -v” show?

Maybe you need to upgrade it?

Can you get more detailed log information? (Note: I don’t know if’s logs can contain sensitive information like your API keys or private keys.)

Aha! It turns out I was running 2.7.9, and had been installing updates into root instead of the user directory. I’ve got it working now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.