In the past 2–3 weeks, we have observed a significant increase in "JWS has an invalid anti-replay nonce" errors across our systems. For example, we recorded more than 50 such errors just last week.
There have been no recent changes on our infrastructure or certificate generation side for quite some time.
Is anyone else experiencing a similar uptick in these errors recently?
Are there any known issues or updates on the Let’s Encrypt side that could explain this behavior?
Any insights would be greatly appreciated.
Thanks!
—
Andreas
www.stubay.eu
400
{
"type": "urn:ietf:params:acme:error:badNonce",
"detail": "Unable to validate JWS :: JWS has an invalid anti-replay nonce: \"J1s5b30k1So7oawbjVp3ydEcWo7idMAwZXTeOc4V1gRy-OMdqOA\"",
"status": 400
}
ps) We are using an extensively customized iteration of lescript within our operational framework.
The instances of renewal errors currently encountered do not impede the functionality of the active certificates, as the existing valid certificates remain effective, and the renewal process will be reattempted at a subsequent juncture.
My intention in highlighting this matter is to raise awareness, in the possible event of issues with the Let's Encrypt servers, given that such behavior diverges from the anticipated norm. (At least I haven't noticed such a huge surge of those Errors out of maintenance windows the last years since --> Surge in "JWS has an invalid anti-replay nonce" Errors)
There are currently no scheduled maintenance activities on the Let's Encrypt side; refer to https://letsencrypt.status.io/.
How many certificate orders are you running over that period?
This is a normal error condition, it means the server responding to your request is not aware of this temporary value and that can be caused by various things. The best practice is to request a new anti-replay nonce and retry the action, some client libraries do this automatically.
on this system we’ve generated certificates for 3,681 domains this month (16 days). With about 100–150 badNonce errors during that time, we’re seeing an error rate of roughly 4%. That’s significantly higher than usual for us (<1%), which is why I wanted to check in and see if there might be any underlying issues on the Let’s Encrypt side.
As mentioned, the errors themselves are not a big problem for us — our client automatically retries, and all certificates eventually get issued successfully. My main concern is just to be sure there’s nothing unexpected happening with the LE infrastructure, especially since we’ve had a similar situation before (see here) --> cross-datacenter nonce redemption.
Hi! We've seen an increased rate of nonce redemption failures on our end as well, starting on June 4th. Not enough to trigger any of our alarms, but it doesn't look like your infrastructure is imagining things. We're investigating and will provide an update when we have one.
@aarongable By any chance, did you change anything on your side? Over the past few days, the "invalid anti-replay nonce" errors have massively decreased and are now back to their previous (low) level.
OK, it seems that the improvement was only temporary – unfortunately, over the last few days we are seeing another increase in badNonce errors on our systems again.
@futureweb just to clarify, why does it matter? If your system just fetches a new nonce and continues it shouldn't matter at all? Or are you just raising this out of interest.