Getting The client sent an unacceptable anti-replay nonce

I have this issue right now with the staging CA.

I’ve only seen this error four times and retrying seemed to have solved it. The last time was 24 hours ago.

Occurrences
7/28 @ 17:24 UTC - puWGf0KGy_pFEIujAZuhy2XfiA08vyYXMsfKH9ZRTeI
7/27 @ 15:43 UTC - htduhLeaZCFMK0FTxpEtWv7Mo048uztehpHWXLFL5bw
7/25 @ 16:59 UTC - 03q0vT1OfaR3sRCAU0PjAjEGPggU73jBxPUEQr8nUdI
7/25 @ 15:30 UTC - 6v5IgVvEbeafnw9_22xu5-JaTc5BEc4QTrOx40OYEQA

I'm still seeing this issue - just got it twice in a row. Has happened intermittently for at least quite a while - these are the timestamps (UTC) from log lines showing the errors:

$ fgrep -hi -e badNonce -e 'unacceptable anti-replay nonce' -e 'invalid anti-replay nonce' $(ls -1tr letsencrypt.log*) | grep '^201[67]' | cut -c-80
2016-11-10 10:57:24,841:DEBUG:root:Received <Response [400]>. Headers: {'Content
2016-11-10 10:57:24,842:DEBUG:acme.client:Received response <Response [400]> (he
2017-01-30 03:00:20,777:DEBUG:root:Received <Response [400]>. Headers: {'Content
2017-01-30 03:00:20,779:DEBUG:acme.client:Received response <Response [400]> (he
2017-04-25 07:58:18,485:DEBUG:root:Received <Response [400]>. Headers: {'Content
2017-04-25 07:58:18,487:DEBUG:acme.client:Received response <Response [400]> (he
2017-04-25 08:22:49,059:DEBUG:root:Received <Response [400]>. Headers: {'Content
2017-04-25 08:22:49,061:DEBUG:acme.client:Received response <Response [400]> (he
$

Thrice in a row now:
...

Waiting for verification...
Resetting dropped connection: acme-v01.api.letsencrypt.org
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce VB-XMNGXK_H4h7VIXAcvr17VPo_C7qyffwv0vz5OM1I
Please see the logfiles in /home/m/mycert/var/log/letsencrypt for more details.
$ fgrep -hi -e badNonce -e 'unacceptable anti-replay nonce' -e 'invalid anti-replay nonce' $(ls -1tr letsencrypt.log*) | grep '^201[67]' | tail -n -2 | cut -c-80
2017-04-25 08:59:38,480:DEBUG:root:Received <Response [400]>. Headers: {'Content
2017-04-25 08:59:38,483:DEBUG:acme.client:Received response <Response [400]> (he
$

I’m also seeing this error.

The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce h4RBpXXUsOcVBwdZKHVqjcyOg3uc2xoQKyuXQpxCynE

Would love any advice/resolution.

hi @mosse

spin off a separate discussion on this. I believe your issue is with the client.

from ACME Spec:

The "nonce" header parameter provides a unique value that enables the
verifier of a JWS to recognize when replay has occurred. The "nonce"
header parameter MUST be carried in the protected header of the JWS.

The value of the "nonce" header parameter MUST be an octet string,
encoded according to the base64url encoding described in Section 2 of
[RFC7515]. If the value of a "nonce" header parameter is not valid
according to this encoding, then the verifier MUST reject the JWS as
malformed.

Examples of valid nonces:

0nMYjTreVR8
s65MulfvZ80
5B6A77A11Ws
aX8fmrwD0Zo

Andrei