Getssl: Error registering account ... JWS has no anti-replay nonce

Tim_L · September 24, 2019, 9:49am

Hello,
I am having an issue which started several hours ago when either creating a new SSL or renewing an existing SSL.
I am having the same issues on several other servers all of which were good until today.

My domain is: expatinsaigon.com

My web server is (include version): nginx version: nginx/1.14.0

The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p8

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: getssl V2.10

I ran this command: sslconfig expatinsaigon.com

sslconfig script:

#!/usr/bin/env bash

DOMAIN=$1
DOCROOT="/root/.getssl/DOMAIN/" CONFIGFILE="{DOCROOT}/getssl.cfg"

mkdir -p ${DOCROOT}

(cat <<- EOF
CA=“https://acme-v01.api.letsencrypt.org”
PRIVATE_KEY_ALG=“rsa”
SANS=“www.{DOMAIN}" ACL=('/var/www/letsencrypt/.well-known/acme-challenge') USE_SINGLE_ACL="true" DOMAIN_CERT_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.crt”
DOMAIN_KEY_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.key" CA_CERT_LOCATION="/usr/local/etc/nginx/certs/chain.crt" DOMAIN_PEM_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.pem"
EOF
) > “${CONFIGFILE}”

/root/bin/getssl ${DOMAIN}
service nginx reload

It produced this output:

root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com: Certificate on remote domain does not match, ignoring remote certificate
creating key - /root/.getssl/expatinsaigon.com/expatinsaigon.com.key
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
creating domain csr - /root/.getssl/expatinsaigon.com/expatinsaigon.com.csr
Registering account
getssl: Error registering account … JWS has no anti-replay nonce

Thank you in advance for your assistance!
Tim

_az · September 24, 2019, 9:51am

Open this line:

github.com

srvrco/getssl/blob/5343070654fdde11d3993a768b0ee4c8104eb120/getssl#L1149


if [[ ${_USE_DEBUG} -eq 1 ]]; then
  CURL="$CURL --trace-ascii $dp "
fi


# convert payload to url base 64
payload64="$(printf '%s' "${payload}" | urlbase64)"
debug payload64 "$payload64"


# get nonce from ACME server
nonceurl="$CA/directory"
nonce=$($CURL -I $nonceurl | grep "^Replay-Nonce:" | awk '{print $2}' | tr -d '\r\n ')


debug nonce "$nonce"


# Build header with just our public key and algorithm information
header='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"'}'


# Build another header which also contains the previously received nonce and encode it as urlbase64
protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}'
protected64="$(printf '%s' "${protected}" | urlbase64)"
debug protected "$protected"

change it to:

  nonce=$($CURL -I $nonceurl | grep -i "^Replay-Nonce:" | awk '{print $2}' | tr -d '\r\n ')

Tim_L · September 24, 2019, 10:03am

Hi _az,
Thank you, here is what I am getting after making that change.

root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com: Certificate on remote domain does not match, ignoring remote certificate
Registering account
Verify each domain
Verifying expatinsaigon.com
expatinsaigon.com is already validated
Verifying www.expatinsaigon.com
www.expatinsaigon.com is already validated
Verification completed, obtaining certificate.
getssl: Sign failed:

_az · September 24, 2019, 10:07am

Hmm. It looks like there’s a few places in getssl that are affected by this new bug.

Rather than fixing each of them, it might be easier to change line 1138 from:

  CURL="curl --silent --dump-header $CURL_HEADER "

to

  CURL="curl --http1.1 --silent --dump-header $CURL_HEADER "

That will revert the HTTP headers back to the old (upper-case) style, which should get you going again.

But this should be reported to the getssl project.

Tim_L · September 24, 2019, 10:17am

Thank you _az, that did the trick. I appreciate your assistance.

Tim

system · October 24, 2019, 10:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.