Gethttpsforfree invalid anti-replay nonce problem

This problem still seems to be around. I had to make 5 attempts before getting anything but the invalid ant-replay nonce message.
I have not had the problem previously, initial cert and 6 renewals, and am using the same method as before, i.e. I have to do this since my webhost does not support any of the automated methods.

Hi @Oldbutgold,

I moved your post to a new thread since its unlikely to be related to other folks historical anti-replay nonce problems.

I'm not especially familiar with this service. Can you describe the overall process step-by-step and include the amount of clock-time that elapses between each step? The anti-replay nonces have a validity period defined by system load that can sometimes be as low as ~5-10 minutes.

The design of Let's Encrypt was strongly intended to be used with software that can perform the required steps on your behalf much faster than a human could. Similarly, a real ACME client is able to automatically get a new nonce when it tries a nonce but fails. The gethttpsfofree service won't be able to do that for you. Long term I would definitely suggest you evaluate a different webhost that would give you shell access or that would support Let's Encrypt integration to do this work on your behalf.

@cpu, the service is pretty popular. I think it was the first-ever web-based Let’s Encrypt client. Recently ZeroSSL has probably been a bit more popular. I believe both of these have been used successfully by tens of thousands of users.

(I agree that it would still be nicer if people didn’t have to use web-based clients because they had good ACME integration inside their hosting configurations.)

The method involves entering details of email address and the account’s public key (easiest by copy and paste). This is validated.
Next enter a CSR (again usually a copy and paste job). This is validated.
Next come a set of steps to sign the API requests. This involves copying a set of command lines into a Linux terminal window and pasting back the responses.
Next step again requires copying into a terminal window and pasting back the response. This then provides files / filenames for hosting in acme-challenge directory to allow verification of site ownership.
If all has gone well then the certificates are presented and can be copied for use on the website. It is at this stage that the invalid nonce message appeared.

The whole process from start to getting / failing to get a cert takes me about 15 minutes.

I tried twice in a row, i.e. two attempts about 15 minutes apart, then waited about 90 minutes before another unsuccessful attempt.

I then waited about 18 hours with the first attempt failing, but the second, tried about 30mins later, working.

It would be much nicer if it were automated, but usually 15 minutes effort every couple of months or so is not a big problem. Moving to a different webhost has been considered but there are a variety of reasons, not all within my control, which make this a bit of a problem.

Have you considered trying ZeroSSL? I believe you could complete this one much quicker than the steps you posted for Gethttpsforfree. It also doesn’t necessarily require the CSR to be pasted, just a domain list. I don’t recall having to sign the API requests on ZeroSSL either - I believe it handles all that in-browser.

@jared.m Thanks for the suggestion. I have just been looking at ZeroSSL, and it does look as if it is a lot easier. I will give it a try for my next renewal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.