Getssl: Error registering account ... JWS has no anti-replay nonce

Hello,
I am having an issue which started several hours ago when either creating a new SSL or renewing an existing SSL.
I am having the same issues on several other servers all of which were good until today.

My domain is: expatinsaigon.com

My web server is (include version): nginx version: nginx/1.14.0

The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p8

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: getssl V2.10

I ran this command: sslconfig expatinsaigon.com

sslconfig script:

#!/usr/bin/env bash

DOMAIN=$1
DOCROOT="/root/.getssl/DOMAIN/" CONFIGFILE="{DOCROOT}/getssl.cfg"

mkdir -p ${DOCROOT}

(cat <<- EOF
CA=“https://acme-v01.api.letsencrypt.org
PRIVATE_KEY_ALG=“rsa”
SANS=“www.{DOMAIN}" ACL=('/var/www/letsencrypt/.well-known/acme-challenge') USE_SINGLE_ACL="true" DOMAIN_CERT_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.crt”
DOMAIN_KEY_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.key" CA_CERT_LOCATION="/usr/local/etc/nginx/certs/chain.crt" DOMAIN_PEM_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.pem"
EOF
) > “${CONFIGFILE}”

/root/bin/getssl ${DOMAIN}
service nginx reload

It produced this output:

root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com: Certificate on remote domain does not match, ignoring remote certificate
creating key - /root/.getssl/expatinsaigon.com/expatinsaigon.com.key
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
creating domain csr - /root/.getssl/expatinsaigon.com/expatinsaigon.com.csr
Registering account
getssl: Error registering account … JWS has no anti-replay nonce

Thank you in advance for your assistance!
Tim

Open this line:

change it to:

  nonce=$($CURL -I $nonceurl | grep -i "^Replay-Nonce:" | awk '{print $2}' | tr -d '\r\n ')

Hi _az,
Thank you, here is what I am getting after making that change.

root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com: Certificate on remote domain does not match, ignoring remote certificate
Registering account
Verify each domain
Verifying expatinsaigon.com
expatinsaigon.com is already validated
Verifying www.expatinsaigon.com
www.expatinsaigon.com is already validated
Verification completed, obtaining certificate.
getssl: Sign failed:

Hmm. It looks like there’s a few places in getssl that are affected by this new bug.

Rather than fixing each of them, it might be easier to change line 1138 from:

  CURL="curl --silent --dump-header $CURL_HEADER "

to

  CURL="curl --http1.1 --silent --dump-header $CURL_HEADER "

That will revert the HTTP headers back to the old (upper-case) style, which should get you going again.

But this should be reported to the getssl project.

Thank you _az, that did the trick. I appreciate your assistance.

Tim

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.