Syno-letsencrypt - JWS has invalid anti-replay nonce

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: syno-letsencrypt new-cert -d -m -vv

It produced this output:

DEBUG: ==== start to new cert ====
DEBUG: Server:
DEBUG: Email:
DEBUG: Domain:
DEBUG: ==========================
DEBUG: setup acme url
DEBUG: szUserAgent: [synology_armada375_ds215j DSM6.1-15101 Update 2 (DDNS)]
DEBUG: GET Request:
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: MeSuecDVlkbs0Jv3cYIW1PQFf5MjRZRrikXxpWsbIFA
Replay-Nonce: WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 20 May 2017 18:19:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 May 2017 18:19:13 GMT
Connection: keep-alive

] Body: [{
  "key-change": "",
  "new-authz": "",
  "new-cert": "",
  "new-reg": "",
  "revoke-cert": ""
DEBUG: Not found registed account. do reg-new.
DEBUG: Post JWS Request:
DEBUG: Post JWS value: {
   "contact" : [ "" ],
   "resource" : "new-reg"

DEBUG: szUserAgent: [synology_armada375_ds215j DSM6.1-15101 Update 2 (DDNS)]
DEBUG: Post Request:
DEBUG: Post value: {
   "header" : {
      "alg" : "RS256",
      "jwk" : {
         "e" : "AQAB",
         "kty" : "RSA",
         "n" : "z8Jn_LExkogDJt_sc0RPli171cuqqZSaVlXNrkHMghNvLHe36E8Bjw0WKkx4XTP1pc4L0m_4gRx9IrIp7hAy7HISajI5DxNOuqU71rLpYq9Fp2DMkLXt8aa7yWWs7OJNQNZ2kNsasRZCmD0DYh0Jtr_-MyFGwlUpzupmfYDyhfxpfgpJc-tLYDmnzPWBQHHp4mVnPMQ32rb57v1wc_6kEgOrIhakkx2wyide0vUClEZTSTzaCfL9bpS1wYzT-1_hdHSLfaBnb6im6xWjrDaUvfpqqALiRogznpNOCcoy29Jd0xIxqUiSdWIy6uHcq-OmproBFhmbnOZZ7fipTHeDYQ"
   "payload" : "eyJjb250YWN0IjpbIm1haWx0bzpkb21haW5zQHZpa2luZ3NlcnYubmV0Il0sInJlc291cmNlIjoibmV3LXJlZyJ9Cg",
   "protected" : "eyJub25jZSI6IldYV1N1MVFrZXdINmRhdmtIYUZSdTV2aFp5d2JYX011U0FfRWJqSTBsMFEifQo",
   "signature" : "JrZruZbzgelYOFUglU4tp8US851n4Ty5uRKpovMOmssj3v9Jav_al1j-t9vTg_eB1XMHXDReEtD-HtMVs_uCccu9I-60LQGxWZRCNv29lbci79M20dK7v2egAlIEwVYPsq1_8D1B8GOA3fC01YPoDyAKxSTxMefVwT4NQhVOTkVh3fTGJBDpIPs5VSHyXvZHoffxmsW9LDog8Dmmczw-coLb2xkqS3ST-lX4xN6p3Zu-z_Jaof9LE4moJwk8msJmzBDIjDY6BTeP_QjDuWG2w6rDaziG6mpU90GY7Y4E4qBEgJc-CPoQEErT5UEt7k3O-LWv01ulmy8trNg3Ga4rvA"

DEBUG: Curl Reply: [400] Header: [HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 149
Boulder-Request-Id: utDKa67DKtR6pKnYuXf6WpbNhD0snChIvx0h59YOHHk
Replay-Nonce: dL7Ly6ow_Pgw0h4j-d_UPpjC_HRfCUjNq6ZX4ELyYFw
Expires: Sat, 20 May 2017 18:19:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 May 2017 18:19:16 GMT
Connection: close

] Body: [{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q",
  "status": 400
{"error":105,"file":"client.cpp","msg":"JWS has invalid anti-replay nonce WXWSu1QkewH6davkHaFRu5vhZywbX_MuSA_EbjI0l0Q"}

My operating system is (include version): Synology DSM 6.1.1-15101 Update 2

My web server is (include version): Nginx

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m almost certain that this is an LE issue (possibly related to the recent service outage that now seems to be officially resolved) - the NAS is configured correctly and is accessible from the outside world, and the validation URLs work (I have added data into the .well-known directories and browsed them from a VPS).

Hi @craigwatson

Nonces have a expiry date and your client should obtain a new nonce before submitting a request.

syno-letsencrypt is a Synology developed client so not too many people on this forum may be familiar with it.

I have noticed some posts about the syno-letsencrypt client on this forum: so suggest you post your question there.


Hi @ahaw021 - thanks.

The errors have now mysteriously disappeared and I’m able to generate a valid certificate with no changes at all on the Synology device - that does seem to point to the LE servers being at fault, but as long as it’s solved, I’m not all that fussed :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.