JWS has invalid anti-replay nonce since tonight June 4th

Since tonight I always get

ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

“type”: “urn:acme:error:badNonce”,
“detail”: “JWS has invalid anti-replay nonce h5f5Nrb_m75MzzlidJ_E5788_WeBaJtUo-K3sysBboE”,
“status”: 400

does anyone know what is going on?

hi @prandini_paolo

Usually its a good idea to follow the format specified in the Help Topic

For example what client are you using and what command are you running.

Have you run the command several times

Are the nonce errors the same?

Do you see anything funny in the logs?


Yes I know BUT
it happens with 3 different clients during any function I try

dehydrated by lukas2511

Source: https://github.com/lukas2511/dehydrated

./dehydrated --register --accept-terms

“type”: “urn:acme:error:badNonce”,
“detail”: “JWS has invalid anti-replay nonce Bs4vc0jVNvibwC3ZhOjhsxQMkbPOvQo8Q-hIcuUYO40”,
“status”: 400

I tried to keep my tests as clean as possible but I always get the same type of response.
Of course the nonce itself is changing

Hi @prandini_paolo

Interesting - I am not having any issues with certbot. If it was a system wide issue then everyone would be getting Nonce Errors


After your suggestion I tried to do operations in a loop, trying and trying again
and it takes a looong time but I managed to get some successful results.
Every now and then I get a successful result on the first try but it takes 10-20 tries
But it is not business as usual…something is happening on the platform and it
is better if someone takes care of this problem before it gets worse and worse
and then it stops!


any ideas???

@prandini_paolo most nonce errors i have encountered thus far have been with the client


@prandini_paolo, are you behind a NAT that sends your outbound traffic via multiple IP addresses? That can cause some problems with nonces.

No, it is a single static IP
But it worked correctly up to the beginning of June.

The client is always the same, but I tried with other clients as well
and I got the same error. This started happening in June.

is there any IPv6 at play?

1 Like

No, no IPv6 just plain old IPv4 :slight_smile:

Maybe unrelated…
But I’ve seen the DNS resolutions use TCP instead of UDP and that has been blocked by some systems along the way.

DNS resolution wouldn’t be involved in either direction, because the client successfully communicates with the ACME server, but is providing invalid nonces.

@prandini_paolo, can you provide your IP address so I can check the logs?

I’m getting this exact same error using the same client just started yesterday for no reason that I can come up with.

I would like to add some of my experience here that I am continuing to debug…

We use letsencrypt dehydrated client implementation.

The internet request is proxied thru squid behind an AWS EC2 ELB (load balancer). When we use a dedicated squid server or a trivial ELB using the same squid server exclusively we do not encounter an issue. Once we scaled up to two squid servers, we reproduced the badNonce error. We are still investigating this, it started happening a few days ago. So we are not clear on what changed.

A post was split to a new topic: Gethttpsforfree invalid anti-replay nonce problem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.