I can’t renew my certicate with acme.sh script (version 2.8.1). I get this message :
Date: Mon, 01 Jun 2020 17:52:37 GMT
Content-Type: application/problem+json
Content-Length: 173
Connection: keep-alive
Boulder-Requester: 79442763
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 00025iwmlrf7S1i_VNA_eIJUqaBGgux_LJbVU-KHQBGlhcI
’
[Mon Jun 1 19:52:42 CEST 2020] code=‘400’
[Mon Jun 1 19:52:42 CEST 2020] original=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0001BwfNbXJUeYQM5e68kdDkzHubj37fVjBd11h_sQFnOao””,
“status”: 400
}’
[Mon Jun 1 19:52:42 CEST 2020] response=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0001BwfNbXJUeYQM5e68kdDkzHubj37fVjBd11h_sQFnOao””,
“status”: 400
}’
[Mon Jun 1 19:52:42 CEST 2020] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
90 days ago I have used this command without problem to genrate certificate :
If the acme.sh doesn’t works, can I generate my certificate on an other machine (ubuntu on virtual machine) and import to my NAS Synology ?
My domain is: home.rolland.net
I ran this command: ./acme.sh --cron --home /volume1/.acme.sh --debug 3
It produced this output:
My web server is (include version): DSM 5
The operating system my web server runs on is (include version): apache 2.2
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is : acme.sh v2.8.1
DiskStation> ./acme.sh --upgrade
[Mon Jun 1 21:20:01 CEST 2020] Installing from online archive.
[Mon Jun 1 21:20:01 CEST 2020] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Mon Jun 1 21:20:10 CEST 2020] Extracting master.tar.gz
[Mon Jun 1 21:20:28 CEST 2020] It is recommended to install socat first.
[Mon Jun 1 21:20:28 CEST 2020] We use socat for standalone server if you use standalone mode.
[Mon Jun 1 21:20:28 CEST 2020] If you don’t use standalone mode, just ignore this warning.
[Mon Jun 1 21:20:28 CEST 2020] Installing to /volume1/homes/admin/acme
[Mon Jun 1 21:20:31 CEST 2020] Installed to /volume1/homes/admin/acme/acme.sh
[Mon Jun 1 21:20:52 CEST 2020] OK
[Mon Jun 1 21:20:52 CEST 2020] Install success!
[Mon Jun 1 21:20:52 CEST 2020] Upgrade success!
DiskStation> cd /volume1/homes/admin/acme
DiskStation> ./acme.sh --version
v2.8.6
I have copied the subdirectory home.rolland.net in the new install dir :
- Same message during the renew of the certificate :
[Mon Jun 1 21:27:41 CEST 2020] responseHeaders=‘HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 01 Jun 2020 19:27:40 GMT
Content-Type: application/problem+json
Content-Length: 173
Connection: keep-alive
Boulder-Requester: 79442763
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101zToWqAuE4RnYi7ThpkPPvUjiwkIDyS2OjSM7URNk-Yc
’
[Mon Jun 1 21:27:42 CEST 2020] code=‘400’
[Mon Jun 1 21:27:42 CEST 2020] original=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0102MQqNt-zgQJl14_f4S7gJqOuPPBIF-F3aXieP_wNqDXw””,
“status”: 400
}’
[Mon Jun 1 21:27:42 CEST 2020] response=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0102MQqNt-zgQJl14_f4S7gJqOuPPBIF-F3aXieP_wNqDXw””,
“status”: 400
}’
[Mon Jun 1 21:27:42 CEST 2020] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
With the renew command (dosn’t works):
DiskStation> ./acme.sh --renew -d home.rolland.net
[Mon Jun 1 21:40:04 CEST 2020] Renew: ‘home.rolland.net’
[Mon Jun 1 21:41:15 CEST 2020] Create account key ok.
[Mon Jun 1 21:41:16 CEST 2020] Registering account
[Mon Jun 1 21:41:30 CEST 2020] Registered
[Mon Jun 1 21:41:30 CEST 2020] ACCOUNT_THUMBPRINT=‘UlU9T1HawyYHP4KCETXYYnT18gtV8BjDECbNXNbpcAc’
[Mon Jun 1 21:41:33 CEST 2020] Single domain=‘home.rolland.net’
[Mon Jun 1 21:41:44 CEST 2020] Getting domain auth token for each domain
[Mon Jun 1 21:41:58 CEST 2020] Getting webroot for domain=‘home.rolland.net’
[Mon Jun 1 21:41:58 CEST 2020] Verifying: home.rolland.net
[Mon Jun 1 21:42:09 CEST 2020] Pending
[Mon Jun 1 21:42:15 CEST 2020] home.rolland.net:Verify error:Fetching http://home.rolland.net/.well-known/acme-challenge/Tlw3ncT2p_Suz2Fju1mA4Dr3EoIeZZi6gHZuv3cTuiU: Timeout during connect (likely firewall problem)
[Mon Jun 1 21:42:16 CEST 2020] Please add ‘–debug’ or ‘–log’ to check more details.
[Mon Jun 1 21:42:16 CEST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
With full reload (dosn’t works) :
[Mon Jun 1 21:29:00 CEST 2020] ‘home.rolland.net’ is not a issued domain, skip.
DiskStation> ./acme.sh --renew -d home.rolland.net --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/serv
er.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd ‘/u
sr/syno/sbin/synoservicecfg --reload httpd-sys’
[Mon Jun 1 21:30:51 CEST 2020] Renew: ‘home.rolland.net’
[Mon Jun 1 21:30:51 CEST 2020] ‘home.rolland.net’ is not a issued domain, skip.
The rights on the server are good (test with 777 permissions for simplicity), my problem is that the webstation has a bug : I have to contact Synology for this problem.
WebStation of Synology is the webserver (apache) for NAS on DSM 5.
the path /acme-challenge is missing for a test to show that my NAS has a problem to reply with the acme-challenge but no problem if I put the file to the parent directory (without the acme-challenge directory)
I create last night the issue to Synology, I’m waitting for response.