JWS has invalid anti-replay nonce. Status 400

Hi,

When trying to create a certificate, i receive the error detailed here ERROR

I am using letsencrypt version 1.9.7.10251 because its the last version that work with my SBS 2008 because of the last .Net version supported by the server is 4.6

Searching for this problem i found that this could be related to redirects/NAT/DNS/ipv6/… so i try to find the issue without success, i think i will need help to figure it out please.

Regards,
Sergio

Hi @Sergio-GitHub75

the error

JWS has invalid anti-replay nonce cnLpg74w9KqhRZoSQjhC4Yi9vyY6JTTvo87fkOseJds

means: Most commands need an anti-replay nonce. The client can get a new nonce, then start with the first command to create a new certificate.

But anti-replay nonces have a short lifespan.

Is it possible that you startet the command, then you wait - then the next step?

Simple solution: Try it again and don't wait too long between the steps.

Hi Juergen,

Thank you for replying.

As you could imagine i try this steps several times and i can assure you that i was very fast, so the problem in not related to this.

I can access configcheck from internet and it is ok, but when this error occur i can see that the long file was not writen to the directory C:\inetpub\wwwroot.well-known\acme-challenge

I have all the right permissions well configured also.

I think this is another kind of issue.

Perhaps this client you use is too old.

But I don't know what

is doing. There was a code change

But your protocol doesn't have the information to see if your software would have a problem with this change.

Hi @Sergio-GitHub75,

Can you clarify what ACME client you're using? On first pass based on saying letsencrypt version I thought you might mean an old version of Certbot from when it was called just "letsencrypt", but that version number doesn't match up. You also mention .net and what I think is a Windows Server version but Certbot is Python and doesn't support Windows.

Is it possible you're using a different ACME client?

Do you know if the server you're running this ACME client on has multiple network interfaces? Does it have both IPv4 and IPv6 outbound internet access? Is the IPv6 connectivity working reliably?

Hi cpu,

As i explain in my first post, because i have Windows Server 2008 i am limited to use ACME V1, because of that i use the last letsencrypt version possible that is version 1.9.7
So nothing to do with Certbot because i use a Windows Server not Linux.

About the issue, as you ask i also think this is related with ipv6.
Several years ago when i setup this server, i was not confortable with ipv6 so i try to disable ipv6 but then was appearing several errors so i enable ipv6 again from network interface but trying to ignore that ipv6 exist until now where i am trying to figure if my issues are ipv6 related.

I have 4 network interfaces but only one is enabled and configured with ipv4 and with ipv6 fe80::6451:b137:ad7f:10de DNS ::1

I look into DNS Manager and only references to ipv4 here, i saw that i remove ipv6 address from DNS queries.

In IIS Manager i can see that i don’t have any bindings regarding ipv6

My router is handling ipv6 from wan but from Lan ipv6 is disabled.

So after reading this it appears to me that something may not be working well this way, my question is what should i do? Try do disable ipv6 a litle better or enabled and configure ipv6. Either way, how can i do this properly?

Thanks.

This is a link-local ipv6 address, this isn't a public address.

So if you don't have a dns entry with an AAAA record, it shouldn't be an ipv6 problem.

Does your WAN-side connection have multiple IP addresses?

This issue can arise if the outgoing requests from your network do not always have the same source IP address. Most commonly, this is caused by inconsistent/broken use of IPv6 (since IPv6 is generally not used with NAT), but it isn’t the only possibly way it could happen.

There has historically been a Let’s Encrypt-specific issue relating to the way it generates nonces and uses the source IP address for load balancing.

You could always try load http://test-ipv6.com/ a few times and see if a) if IPv6 is active and b) whether your apparent IP address(es) ever change.

2 Likes

Moreover, ACME clients are supposed to automatically resend the request with the new nonce when they get this error. Unless you’re very unlucky, everything should succeed eventually.

I don’t know what ACME client you’re using, but maybe you can upgrade it, or switch to a different one?

1 Like

I think its an old version of Let's Encrypt Win Simple (now called Win-Acme)

1 Like

Thanks for the support.

My router has ipv6 activated but not configured so the result of the website http://testipv6.com is that i DON’T have ipv6

WAN-side has only one ip address but i have NAT translations in our router to other internal servers based on the external port redirects to the correct server.

So after testing that i only have ipv4 wan-side, i can exclude this was an ipv6 issue, so what can it be?

I send the logs that could help

SSLerror.txt (9.2 KB)

There's an interesting comment about your error and letsencrypt-win-simple below version 1.9.8 here: Problem with Certificate Authorization · Issue #653 · win-acme/win-acme · GitHub :

First one: "JWS has invalid anti-replay nonce" - this happens when you spend too much time in the main menu. There seems to be some kind of timeout period where the client is supposed to refresh the nonce but doesn't. I believe this is fixed in 1.9.8.

For reference, your log file says you are using version 1.9.7.10258.

Yes i already see that comment but in my case i can’t use that new version because its not compatible with Windows Server 2008 so i can’t really try it.

Oh … then change ACME clients: https://letsencrypt.org/docs/client-options/#windows-iis . Using a known-buggy version isn’t going to be a strategy that pays off, and there’s no solution that can be proposed on this forum to just make it work (besides having really quick fingers and not lingering on the application menu for too long).

You could also ask the authors of win-acme to show you how to backport the fix to 1.9.7, but looking at the history, it appears that the fix came along with a rather large refactoring of the application (between v1.9.7.2 and v1.9.8), so it might not be so simple.

1 Like

Trying others ACME clients, what i found is that a feature that i need that is wildcard domains is only possible with ACME V2 that is incompatible with my Windows Server 2008.

Forgeting wildcards, i have downloaded older version 3 of CertifyTheWeb so that it can install on my server. After that i can run it and FINALLY i was succeded to create my certificate.

Just wan’t to say thank you guys for helping me and pointed to the right direction :wink:

It is true that wildcards are only supported with ACME v2. But there is no reason an ACME v2 client wouldn't be compatible with Windows Server 2008. That would only be a limitation of a particular client, not the protocol.

1 Like

Hi rmbolger,

Yes, you are right it’s not a problem of the protocol, but for some reason, when implementing ACME V2 the Windows clients have updated also the minimal version of .NET for a version that no longer is supported by Windows Server 2008, thats why i have to install previous versions of those clients and cannot use wildcards to create the certificates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.