Challenge error: JWS has an invalid anit-replay nonce: ... status: 400

Hello,

I am trying to issue a certificate for *.illusorystudios.com and a few others. I use the DNS challenge with acme.sh. I just started getting the urn:ietf:params:acme:error:badNonce error, status 400.

I’ve turned off IPv6 entirely, so that’s not it. The nonce keeps changing each time it fails, so it’s definitely creating a new one. The DNS challenge waits only 2 minutes for TXT records to update, so it’s not sitting there forever. Anyway, as a result I cannot renew my certificates right now, but I’ve no idea what changed. I tried updating to the newest acme.sh and no change.

Thanks!

James

Hi @JamesB7

your website uses a new Letsencrypt certificate ( https://check-your-website.server-daten.de/?q=illusorystudios.com ):

CN=illusorystudios.com
	01.04.2019
	30.06.2019
expires in 82 days	*.faldonrpg.com, *.illusorystudios.com, 
faldonrpg.com, illusorystudios.com - 4 entries

Did you use acme.sh to create these certificates or Certbot?

Your TTL is 600 seconds.

That may happen if you use different outgoing ip addresses. But you have only one ip address. Do you use more then one internal instance?

Perhaps fix the ip of Letsencrypt with a hosts - entry.

23.63.149.194 acme-v02.api.letsencrypt.org

My website for illusorystudios.com is able to retrieve certificates. I am using this on a different server, which hosts faldon.org, zer7.com and a few others, as well as the illusorystudios.com mail server. That is the one having trouble.

The CSR was created with OpenSSL. The certificates are retrieved with acme.sh. I do not use certbot.

For this server there is one IP address, yes.

When I run nslookup on acme-v02.api.letsencrypt.org, I get a different IP than that:

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net canonical name = e14990.dscx.akamaiedge.net.
Name: e14990.dscx.akamaiedge.net
Address: 172.226.89.104

There are (minimal) two situations with that error:

• too long time between fetching and using a nonce - but 120 seconds are short
• there is a pooling, so local address -> nonce pool 1, other address -> nonce pool 2

But if you have only one ip address ...?

So fixing the acme-v02.api.letsencrypt.org may help.

Is it possible that you reduce your TTL?

Or the error message is wrong, a bug somewhere else.

PS: You have your own nameservers.

What happens if you use 60 or 30 seconds to wait?

Use the test system to check that.

I’ve tried reducing the TTL to 30 seconds, no luck. Also adding the /etc/hosts entry.

I don’t use acme.sh. Are there additional debug options and a detailed log?

Perhaps there is another error and the badNonce-error is only a side effect.

I tried renewing the same domains on another server and got the same error. Is there any way to check if there is some kind of block on the domains, or…? Really at a loss here.

badNonce errors aren’t exactly errors, and come from a different layer of the stack that isn’t considering your domain or what type of challenge you’re using.

An ACME client should resend the request with the new nonce. acme.sh does that, I think, but maybe it has a bug and isn’t doing so in this case.

I’m just guessing, but…

Are you using a recent version of acme.sh? What does “acme.sh -v” show?

Maybe you need to upgrade it?

Can you get more detailed log information? (Note: I don’t know if acme.sh’s logs can contain sensitive information like your API keys or private keys.)

Aha! It turns out I was running 2.7.9, and get.sh had been installing updates into root instead of the user directory. I’ve got it working now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.