LE Windows client request wildcard cert


#1

Trying to get wildcard certificate issued with Windows version client:

2018/03/31 15:59:49 [ ZeroSSL Crypt::LE client v0.31 started. ]
2018/03/31 15:59:49 Loading an account key from keys/account.key
2018/03/31 15:59:49 Loading a CSR from keys/domain_com.csr
2018/03/31 15:59:52 Registering the account key
2018/03/31 15:59:53 The key has been successfully registered. ID: 32189279
2018/03/31 15:59:53 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2018/03/31 15:59:53 Current contact details: sebus@domain.com
Challenge for ‘*.domain.com’ requires the following DNS record to be created:
Host: _acme-challenge.domain.com, type: TXT, value: CvkvXCdKqh6f7HF0kKRvN1ylF0HB-8m6Cj9T1DNluFg
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.domain.com
When you see a text record returned, press

Record created, day after we try to carry on

2018/04/01 10:17:01 Processing the ‘dns’ verification for ‘.domain.com’
2018/04/01 10:17:01 Domain verification results for '
.domain.com’: error. JWS has an invalid anti-replay nonce: “b5Wu6G
baghKpDdzs0a1op8rECg_hG3DNa5cK9bfkFqs”
2018/04/01 10:17:01 You can now delete ‘_acme-challenge.domain.com’ DNS record
2018/04/01 10:17:01 All verifications failed

One is supposed to use --renew option, but that fails with

2018/04/01 10:17:29 [ ZeroSSL Crypt::LE client v0.31 started. ]
2018/04/01 10:17:29 Loading an account key from keys/account.key
2018/04/01 10:17:29 Loading a CSR from keys/domain_com.csr
2018/04/01 10:17:29 Checking certificate for expiration (website connection).
2018/04/01 10:17:29 Checking *.domain.com
2018/04/01 10:17:29 Could not get the certificate expiration value, cannot renew.

Ofcourse there is NO certificate yet, so nothing can be checked!

Any idea what/where is wrong?

sebus


#2

One is supposed to use --renew 0

That works!

sebus


#3

Thanks for raising this - even though it is rather unlikely use case with waiting for a day before continuing, I will account for that in the next version, so hopefully that invalid nonce will go away.


#4

I do not know how unlikely it is, DNS did not propagate in 3 hours, after which it was time to sleep. So next time was next day…


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.