Syno-letsencrypt - JWS has invalid anti-replay nonce

Please fill out the fields below so we can help you better.

My domain is: valhalla.vikingserv.net

I ran this command: syno-letsencrypt new-cert -d valhalla.vikingserv.net -m domains@vikingserv.net -vv

It produced this output:

DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email: domains@vikingserv.net
DEBUG: Domain: valhalla.vikingserv.net
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: szUserAgent: [synology_armada375_ds215j DSM6.1-15101 Update 2 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: MeSuecDVlkbs0Jv3cYIW1PQFf5MjRZRrikXxpWsbIFA
Replay-Nonce: WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 20 May 2017 18:19:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 May 2017 18:19:13 GMT
Connection: keep-alive

] Body: [{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}]
DEBUG: Not found registed account. do reg-new.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post JWS value: {
   "contact" : [ "mailto:domains@vikingserv.net" ],
   "resource" : "new-reg"
}

DEBUG: szUserAgent: [synology_armada375_ds215j DSM6.1-15101 Update 2 (DDNS)]
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post value: {
   "header" : {
      "alg" : "RS256",
      "jwk" : {
         "e" : "AQAB",
         "kty" : "RSA",
         "n" : "z8Jn_LExkogDJt_sc0RPli171cuqqZSaVlXNrkHMghNvLHe36E8Bjw0WKkx4XTP1pc4L0m_4gRx9IrIp7hAy7HISajI5DxNOuqU71rLpYq9Fp2DMkLXt8aa7yWWs7OJNQNZ2kNsasRZCmD0DYh0Jtr_-MyFGwlUpzupmfYDyhfxpfgpJc-tLYDmnzPWBQHHp4mVnPMQ32rb57v1wc_6kEgOrIhakkx2wyide0vUClEZTSTzaCfL9bpS1wYzT-1_hdHSLfaBnb6im6xWjrDaUvfpqqALiRogznpNOCcoy29Jd0xIxqUiSdWIy6uHcq-OmproBFhmbnOZZ7fipTHeDYQ"
      }
   },
   "payload" : "eyJjb250YWN0IjpbIm1haWx0bzpkb21haW5zQHZpa2luZ3NlcnYubmV0Il0sInJlc291cmNlIjoibmV3LXJlZyJ9Cg",
   "protected" : "eyJub25jZSI6IldYV1N1MVFrZXdINmRhdmtIYUZSdTV2aFp5d2JYX011U0FfRWJqSTBsMFEifQo",
   "signature" : "JrZruZbzgelYOFUglU4tp8US851n4Ty5uRKpovMOmssj3v9Jav_al1j-t9vTg_eB1XMHXDReEtD-HtMVs_uCccu9I-60LQGxWZRCNv29lbci79M20dK7v2egAlIEwVYPsq1_8D1B8GOA3fC01YPoDyAKxSTxMefVwT4NQhVOTkVh3fTGJBDpIPs5VSHyXvZHoffxmsW9LDog8Dmmczw-coLb2xkqS3ST-lX4xN6p3Zu-z_Jaof9LE4moJwk8msJmzBDIjDY6BTeP_QjDuWG2w6rDaziG6mpU90GY7Y4E4qBEgJc-CPoQEErT5UEt7k3O-LWv01ulmy8trNg3Ga4rvA"
}

DEBUG: Curl Reply: [400] Header: [HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 149
Boulder-Request-Id: utDKa67DKtR6pKnYuXf6WpbNhD0snChIvx0h59YOHHk
Replay-Nonce: dL7Ly6ow_Pgw0h4j-d_UPpjC_HRfCUjNq6ZX4ELyYFw
Expires: Sat, 20 May 2017 18:19:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 May 2017 18:19:16 GMT
Connection: close

] Body: [{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q",
  "status": 400
}]
{"error":105,"file":"client.cpp","msg":"JWS has invalid anti-replay nonce WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q"}

My operating system is (include version): Synology DSM 6.1.1-15101 Update 2

My web server is (include version): Nginx

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m almost certain that this is an LE issue (possibly related to the recent service outage that now seems to be officially resolved) - the NAS is configured correctly and is accessible from the outside world, and the validation URLs work (I have added data into the .well-known directories and browsed them from a VPS).

Hi @craigwatson

Nonces have a expiry date and your client should obtain a new nonce before submitting a request.

syno-letsencrypt is a Synology developed client so not too many people on this forum may be familiar with it.

I have noticed some posts about the syno-letsencrypt client on this forum: https://forum.synology.com/ so suggest you post your question there.

Andrei

Hi @ahaw021 - thanks.

The errors have now mysteriously disappeared and I’m able to generate a valid certificate with no changes at all on the Synology device - that does seem to point to the LE servers being at fault, but as long as it’s solved, I’m not all that fussed

Cheers,
Craig

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.