Increase “JWS has an invalid anti-replay nonce” Errors

Help
1

Hello,

Since these two days, we got a lot of faillure during renew certification with this error message.

{
  "type": "urn:ietf:params:acme:error:badNonce",
  "detail": "JWS has an invalid anti-replay nonce: \"xxxxxxxxx\"",
  "status": 400
}

There were no changes on our acme infrastructure and interfaces so we are wonder about the potential involvement of the Let's Encrypt (LE) server infrastructure.

Does anyone know what is going on?
Could you please confirm whether there are any other similar cases and what the cause is?

Thanks.

4 Likes
2

What client are you using? Usually clients should just retry automatically when they get that message.

4 Likes
3

Hi @heat1024, and welcome to the LE community forum :slight_smile:

Have you tested with any other CA?

3 Likes
4

We are using ACME client and our client already have automatically retry function when got this error message.
The same message occurred before, but it wasn't a problem because it wasn't many times and it was automatically retried.
However, over the past two days, these failures have increased rapidly, and the internal retry count has been exceeded in many cases.
Additionally, as the number of retries for certificate issuance increases, rate limits easily occur.

2 Likes
5

Not tried yet with other CA because we don't have other CAs.

6

Hello - I am seeing the exact same behavior the last couple of days. This generally would self-resolve but is much more frequent now without any clear explanation.

1 Like
7

What do you mean?

2 Likes
8

ACME is the name of the protocol. What is the name and version of your ACME client?

5 Likes
9

I'm sorry I thought CA means Certificate Authorities.
If not, What do you mean about test with any other CA?

1 Like
10

There are other free certificate authorities you can use.

1 Like
11

ACME is the name of the protocol. What is the name and version of your ACME client?

acme-client (2.0.7) for ruby

13

The documentation shows you how to point the client to another CA:
https://www.rubydoc.info/gems/acme-client/2.0.7

image
image934×146 4.88 KB

You just need to insert the appropriate information.

1 Like
14

There are other free certificate authorities you can use.

sadly, we are using LE for our service, so I think I can't change to other CAs for production now...

15

Do you have a test system?

1 Like
16

Do you have a test system?

Yes but it's not reached for me now and I'm not sure about use other CA.
I'll find out how to test with testing system.
If I can use it, what endpoint may I use?
Do you have recommend one?

17

ACME Documentation - ZeroSSL
https://acme.zerossl.com/v2/DV90

1 Like
18

Hello - I am seeing the exact same behavior the last couple of days. This generally would self-resolve but is much more frequent now without any clear explanation.

Oh, I'm not the only one. :sweat_smile:
Thanks!
I hope to solve this problem asap.

1 Like
19

Thanks for the reports. I identified the problem and have implemented a fix.

11 Likes
20

Thanks for the reports. I identified the problem and have implemented a fix.

I've checked that the problem has improved.
Thanks for your help!

5 Likes
21

This resolved the issue I saw on my side. Thank you!

2 Likes