'JWS has no anti-replay nonce' issue on Ubuntu 18.04

Hi,

I run LetsEncrypt on Aegir, a Drupal mass-hosting system and LE certs used to be generated just fine until recently, when I started getting these errors:

INFO: Using main config file /var/aegir/config/letsencrypt/config [warning]

Processing lin01.ts-adyar.org [warning]

  • Checking domain name(s) of existing cert… unchanged. [warning]
  • Checking expire date of existing cert… [warning]
  • Valid till Oct 31 07:33:18 2019 GMT Certificate will expire [warning]
    (Less than 30 days). Renewing! [warning]
  • Signing domains… [warning]
  • Generating private key… [warning]
  • Generating signing request… [warning]
  • Requesting challenge for lin01.ts-adyar.org… [warning]
  • ERROR: An error occurred while sending post-request to [warning]
    https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)
    [warning]
    Details: [warning]
    { [warning]
    “type”: “urn:acme:error:badNonce”, [warning]
    “detail”: “JWS has no anti-replay nonce”, [warning]
    “status”: 400 [warning]
    } [warning]
    [warning]
    Failed to generate Let’s Encrypt certificates. [warning]
    HTTPS Certificate directory for <em

In the absence of an LE cert, the Aegir site verification process also fails and I have a completely botched system at the moment. I did read the solution suggested in this thread a few times, but couldn’t wrap my head around it.

I will be thankful for a clear step-by-step to resolve this issue. My web server in Apache 2.4.x and Certbot version is 0.31.

Hi @digestlegend

first step you should check: Update your Certbot.

Second step: Read

ACME v1 is deprecated, so you should switch to ACME v2.

Hi @JuergenAuer

I ran updates and package upgrades for Certbot and even rebooted for good measure, but my Certbot version is still stuck at 0.31.0 on Ubuntu 18.04. Is there a way to manually upgrade the Certbot package for Ubuntu 18.04.3 to a higher version?

Thanks, for reminding me of the ACME v1 deprecation. Would upgrading Certbot automatically make LE use ACME v2?

I don’t know.

Your output

isn’t the Certbot output, that’s another client.

May be that client uses Certbot, may be there is an explicit update (Certbot 0.31 -> higher, V1 -> V2).

Isn’t there an upgrade of that environment?

@bmw, shouldn’t Certbot automatically try to switch over to the ACMEv2 endpoint since 0.26.0 or something?

Yes. We switched the default and automatically migrated everyone that was not previously explicitly setting the ACME server to use to LE’s ACMEv2 endpoint in our 0.26.0 release: Certbot 0.26.0 Release

@digestlegend is using dehydrated - https://github.com/lukas2511/dehydrated/ .

Try updating to the latest version.

If you don’t know how, you might need to ask the maintainers of aegir to find out. If I understand correctly, they seem to be bundling it in their hosting environment.

3 Likes

Did a little bit more digging.

It looks like you are using this module, which gets bundled with Aegir: https://www.drupal.org/project/hosting_https

And it looks like the module was recently updated to use a newer version of dehydrated, which fixes the JWS error: https://www.drupal.org/project/hosting_https/issues/3086056

So if you upgrade the module, your problem should disappear.

3 Likes

@_az that was awesome troubleshooting.

Your suggestion led me to try upgrading Aegir and I found it was broken because its PGP key for the Debian repo for its stable release had expired. Fixing that took care of Aegir, which is now at 3.182, the latest version.

However, I still continue to have the problem with LetsEncrypt. Even with the latest Aegir, Certbot is still at 0.31, so I am not sure how to fix this:

root@tslin01:~# su - aegir -s /bin/bash
aegir@tslin01:~$ certbot --version
certbot 0.31.0

and,

HTTPS certificate directory for events878.ts-adyar.org path /var/aegir/config/letsencrypt.d/events878.ts-adyar.org [success]
exists.
HTTPS certificate directory for events878.ts-adyar.org ownership of [success]
/var/aegir/config/letsencrypt.d/events878.ts-adyar.org has been changed to aegir.
HTTPS certificate directory for events878.ts-adyar.org permissions of [success]
/var/aegir/config/letsencrypt.d/events878.ts-adyar.org have been changed to 700.
HTTPS certificate directory for events878.ts-adyar.org path /var/aegir/config/letsencrypt.d/events878.ts-adyar.org is [success]
writable.
INFO: Using main config file /var/aegir/config/letsencrypt/config [warning]
Processing events878.ts-adyar.org [warning]

  • Signing domains… [warning]
  • Generating private key… [warning]
  • Generating signing request… [warning]
  • Requesting challenge for events878.ts-adyar.org… [warning]
  • ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400) [warning]
    [warning]
    Details: [warning]
    { [warning]
    “type”: “urn:acme:error:badNonce”, [warning]
    “detail”: “JWS has no anti-replay nonce”, [warning]
    “status”: 400 [warning]
    } [warning]
    [warning]
    Failed to generate Let’s Encrypt certificates.

The part of Aegir that is giving you troubles isn’t using Certbot. It’s using a different Let’s Encrypt client called dehydrated.

If you’ve got Aegir 3.182 installed, it looks like you should also have the latest version of the Aegir HTTPS module that comes with the updated version of dehydrated (https://www.drupal.org/project/hosting_https/releases/7.x-3.182).

So I’m not sure why you’d still be getting that problem :\

Do you have a way to check the installed version of the Aegir HTTPS module?

If you can find the file hosting_https/submodules/letsencrypt/drush/bin/dehydrated/dehydrated file on your server, it should contain a line starting with VERSION= on line ~20.

1 Like

@_az
Solved, finally!

The problem was that, even though Aegir was at 3.182, which is automatically supposed to include the updated version of dehydrated (as per the ‘Changes’ sub-heading at https://docs.aegirproject.org/release-notes/3.18/ ), it apparently did not.

So, I clicked through to the issue mentioned on that page, which described the following workaround:

drush @hm dl hosting_https-7.x-3.x-dev
drush @hm provision-verify
drush @server_master provision-verify
Then verify your own site to renew it’s SSL cert.
drush @yoursite provision-verify

The first of those commands downloaded all the https related modules to my Aegir install:

aegir@tslin01:~$ drush @hm dl hosting_https-7.x-3.182
Project hosting_https (7.x-3.182) downloaded to /var/aegir/hostmaster-7.x-3.182/sites/all/modules/hosting_https. [success]
Project hosting_https contains 6 modules: hosting_nginx_https, hosting_self_signed, hosting_apache_https, hosting_letsencrypt, hosting_certificate, hosting_https.

The second command still gave me the nonce error and I almost gave up at this point. Having nothing to lose, I issued the third command and got the output I was looking for:

apache on tslin01 has been restarted [success]
Let’s Encrypt configuration directory path /var/aegir/config/letsencrypt.d exists. [success]
Let’s Encrypt configuration directory ownership of /var/aegir/config/letsencrypt.d has been changed to aegir. [success]
Let’s Encrypt configuration directory permissions of /var/aegir/config/letsencrypt.d have been changed to 711. [success]
Let’s Encrypt configuration directory path /var/aegir/config/letsencrypt.d is writable. [success]
Let’s Encrypt ACME challenge directory path /var/aegir/config/letsencrypt.d/well-known/acme-challenge exists. [success]
Let’s Encrypt ACME challenge directory ownership of /var/aegir/config/letsencrypt.d/well-known/acme-challenge has been changed to aegir. [success]
Let’s Encrypt ACME challenge directory permissions of /var/aegir/config/letsencrypt.d/well-known/acme-challenge have been changed to 711. [success]
Let’s Encrypt ACME challenge directory path /var/aegir/config/letsencrypt.d/well-known/acme-challenge is writable. [success]
Let’s Encrypt script + data directory path /var/aegir/config/letsencrypt exists. [success]
Let’s Encrypt script + data directory ownership of /var/aegir/config/letsencrypt has been changed to aegir. [success]
Let’s Encrypt script + data directory permissions of /var/aegir/config/letsencrypt have been changed to 711. [success]
Let’s Encrypt script + data directory path /var/aegir/config/letsencrypt is writable. [success]
Copied Let’s Encrypt dehydrated script code into place. [success]

After this, the LE related SSL errors have gone away and I have been successfully able to generate certs for all the sites.

Thanks a ton for prodding me to dig deeper into the issue and the useful suggestions. Much appreciated.

Edit: Just noticed you had linked to that same Aegir issue in your previous post. Somehow missed it there.:slightly_smiling_face:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.