LE Windows client request wildcard cert

Trying to get wildcard certificate issued with Windows version client:

2018/03/31 15:59:49 [ ZeroSSL Crypt::LE client v0.31 started. ]
2018/03/31 15:59:49 Loading an account key from keys/account.key
2018/03/31 15:59:49 Loading a CSR from keys/domain_com.csr
2018/03/31 15:59:52 Registering the account key
2018/03/31 15:59:53 The key has been successfully registered. ID: 32189279
2018/03/31 15:59:53 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2018/03/31 15:59:53 Current contact details: sebus@domain.com
Challenge for ‘*.domain.com’ requires the following DNS record to be created:
Host: _acme-challenge.domain.com, type: TXT, value: CvkvXCdKqh6f7HF0kKRvN1ylF0HB-8m6Cj9T1DNluFg
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.domain.com
When you see a text record returned, press

Record created, day after we try to carry on

2018/04/01 10:17:01 Processing the ‘dns’ verification for ‘.domain.com’
2018/04/01 10:17:01 Domain verification results for '
.domain.com’: error. JWS has an invalid anti-replay nonce: “b5Wu6G
2018/04/01 10:17:01 You can now delete ‘_acme-challenge.domain.com’ DNS record
2018/04/01 10:17:01 All verifications failed

One is supposed to use --renew option, but that fails with

2018/04/01 10:17:29 [ ZeroSSL Crypt::LE client v0.31 started. ]
2018/04/01 10:17:29 Loading an account key from keys/account.key
2018/04/01 10:17:29 Loading a CSR from keys/domain_com.csr
2018/04/01 10:17:29 Checking certificate for expiration (website connection).
2018/04/01 10:17:29 Checking *.domain.com
2018/04/01 10:17:29 Could not get the certificate expiration value, cannot renew.

Ofcourse there is NO certificate yet, so nothing can be checked!

Any idea what/where is wrong?


One is supposed to use --renew 0

That works!


1 Like

Thanks for raising this - even though it is rather unlikely use case with waiting for a day before continuing, I will account for that in the next version, so hopefully that invalid nonce will go away.

I do not know how unlikely it is, DNS did not propagate in 3 hours, after which it was time to sleep. So next time was next day…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.