I wonder if Dehydrated is falling into the same trap a few of the other shell based ACME clients (getssl, acme.sh, etc) hit since the CDN switch: case sensitive HTTP header matching that fails with H2’s all-lowercase headers.
From an external perspective just based on the error messages it seems like behaviour that could happen if the code pulling the replay nonce from the HTTP response header from the ACME server didn’t fail when it couldn’t extract a nonce to use.
I’m seeing the “JW has no anti-replay nonce” error since yesterday on a system with dehydrated 0.6.5 and curl 7.47.0 that doesn’t even have HTTP2 support.
not experiencing problems on the staging server though.
Also it failed producing a SAN certificate with 99 hosts (as my production cert that failed first had 88 hosts in it) but succeeds with only 20 FQDN in it.
What in the code “broke” with the switch from HTTP/1.1 to HTTP/2. I would think/hope that the tranposrt layer would have no effect over the application layer data.
here is where it actually goes wrong: when connecting to /acme/new-nonce the TLS handshake failes and the client (dehydrated) goes on trying with an empty nonce. guess it’s still a bug within boulder or the CDN or should the client retry fetching the nonce in these cases?
edit: also guessing the other trending issues in this forum are actually the same error with the boulder/the CDN not handing out nonces and clients that aren’t equipped with dealing with that.
thanks for the feedback. if Lukas Schauer doesn’t have time maybe i’ll give it a try.
FYI, it TLS handshakes fail not only at the nonce-retrieving stage (which I guess would be even stranger) but also earlier in the process (although not that often for me). https://pastebin.com/GvpS89MY
this happened while sending the signed request.
Just to be clear: The underlying issue hasn’t been completely fixed yet. This error occurs due to connection issues with the CA and there currently is no retry-logic in dehydrated. The only thing the last commit fixed should be the type of the error message, instead of failing with “no nonce” dehydrated should (at least in theory…) now notice the broken HEAD request and fail early with a correct error message, but I think there is another issue which again prevents this from working correctly. I’ll have to do some work on it, until then you can always just rerun the script, at least with ACME it at least kinda keeps the state and doesn’t have to rerun everything again.