JWS has an invalid anti-replay nonce when provisioning new certificates

Hey there,

For the past couple of days, I’ve been getting this lovely error when trying to get the challenges for the domains included in our certificates:
‘JWS has an invalid anti-replay nonce: “”’

This is using the v2 api and it seems to only happen on the production environment. Is the cause for this the current partial service degradation?

Thank you

Encountering the error is normal and your client should handle it transparently (https://tools.ietf.org/html/rfc8555#section-6.5):

When a server rejects a request because its nonce value was
unacceptable (or not present), it MUST provide HTTP status code 400
(Bad Request), and indicate the ACME error type
“urn:ietf:params:acme:error:badNonce”. An error response with the
“badNonce” error type MUST include a Replay-Nonce header field with a
fresh nonce that the server will accept in a retry of the original
query (and possibly in other requests, according to the server’s
nonce scoping policy). On receiving such a response, a client SHOULD
retry the request using the new nonce.

Are you retrying the request with a new nonce?

1 Like

Oh that’s a really good point.

Let me patch the library we’re using to provision our stuff and see if that makes it less breaky.

Thanks for pointing this out.

1 Like

Yup, sure enough, that did the trick.

Thanks for the help @_az!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.