Dehydrated on TurnkeyLinux: JWS has no anti-replay nonce

mstummer · November 10, 2019, 12:27am

Hey there! I'm running a few websites which all use TurnkeyLinux Wordpress systems. Configuring and renewing Letsencrypt via their ConfConsole used to be a breeze, but has stopped since maybe a month. There is a discussion going on there, but it doesn't look like their is a clean fix to this. Can anybody here help on what needs updating?

My domain is:
undercover-media.co.nz
I ran this command:
/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper
It produced this output:
[2019-11-10 00:15:19] dehydrated-wrapper: INFO: started
[2019-11-10 00:15:20] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2019-11-10 00:15:20] dehydrated-wrapper: INFO: stopping apache2
[2019-11-10 00:15:21] dehydrated-wrapper: INFO: running dehydrated
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-11-10 00:15:26] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-11-10 00:15:26] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-11-10 00:15:26] dehydrated-wrapper: INFO: starting apache2
[2019-11-10 00:15:26] dehydrated-wrapper: INFO: starting stunnel4
[2019-11-10 00:15:26] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.

My web server is (include version):
Apache 2.4.25
The operating system my web server runs on is (include version):
Debian 9.6
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
confconsole 1.1.0
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
(dehydrated 0.3.1)
EDIT: dehydrated 0.6.2

I did try to add the following lines to /etc/dehydrated/confconsole.config

CA="https://acme-v02.api.letsencrypt.org/directory"
CA_TERMS="https://acme-v02.api.letsencrypt.org/terms"

which then raised the following error

ERROR: Certificate authority doesn't allow certificate signing

danb35 · November 10, 2019, 1:07am

That version is over three years old--why aren't you using a more current release?

mstummer · November 10, 2019, 1:39am

Hey dan! I've run...

apt-get update
apt-get dist-upgrade

...and that's the latest and greatest I get via the normal repos.
Where/how can I get a newer version?

Cheers, Max

danb35 · November 10, 2019, 1:42am

Get it from:

I wouldn't expect a simple shell script to be part of your OS packages, though I could certainly be wrong there. But if you look at the releases on that github page, you'll see that ACMEv2 support wasn't added until version 0.6. With the deprecation of ACMEv1, that seems a likely explanation for what you're seeing.

mstummer · November 10, 2019, 1:51am

Sorry for the confusion, I was too quick when writing down the versions. Looks like I'm on 0.6.2

root@community ~# apt list | grep dehydrated
dehydrated/stretch-backports,now 0.6.2-2+deb10u1~bpo9+1 all [installed]
dehydrated-apache2/oldstable 0.3.1-3+deb9u2 all
dehydrated-hook-ddns-tsig/stretch-backports 0.1.4-3~bpo9+1 all

system · December 10, 2019, 1:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.