Unacceptable anti-replay nonce


#1

Hi :slight_smile:

I am having trouble renewing multiple certificates on my server. Some of them expire in a couple of days.

I have tried the renewal about 10 times the last week, with the same result:

Error: urn:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce

Also, the renewal process is very slow. It takes as much as an hour from start to the renew fails for a single domain.

Ubuntu 16.04, Apache.

Any help appriciated :slight_smile:


#2

Hi @audun, the slowness of the renewal process is probably the root cause of this because the CA will require the certificate issuance to complete within a certain period of time.

What Let’s Encrypt client software are you using? What command do you use to ask it to renew?

What authentication method (challenge type) are you using to prove control of the names?

What kind of Internet connection do you have for your hosting?

Is there any kind of firewall that tries to inspect incoming connections to your server? Is it behind any kind of proxy or CDN?

How many Let’s Encrypt certificates do you have overall?


#3

Also, there is an ongoing service problem related to validation which may be the deeper root cause of the slowness. Could you try again once the server team has cleared up the problem on the CA side? You can check the reported status of the fix at

https://letsencrypt.status.io/


#4

Hi @schoen :slight_smile:

I am using the letsencrypt-packages that apt provides (letsencrypt and python-letsencrypt-apache). I am using “letsencrypt -v renew”.

Log says this: 2017-03-23 22:21:37,184:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for foo.bar

I don’t know, but it is hosted at a norwegian hosting partner with multiple fiber-optics, so speed has never been a issue.

I don’t really know, but I don’t think so. I have actually never renewed these certificates after they where generated. No problems then.

3 on this server.

Just ran a renewal, with the same errors for all domains:

Thanks :slight_smile:


#5

Two more questions!

What version of Certbot and how did you install it?

Is the anti-replay nonce really “foooobar”, or did you redact it from your log file here?


#6

Do you mean what version of the letsencrypt-package?

Version: 0.4.1-1
Depends: dialog, python-letsencrypt (= 0.4.1-1), python:any (>= 2.7~)

This is just a wrapper for the certbot I guess?

Yes I removed it from the log.


#7

@bmw, any possible client issue here? (I don’t see an obvious reason, even though it’s an old client version)

@jsha @cpu, maybe worth opening an Akamai ticket to check on possible extreme API slowness? Can we suggest a curl command to verify the behavior of the API endpoint?

@audun, letsencrypt is the old name for certbot. However, OS packages don’t move as quickly as we do. :slight_smile: There is a way you can get much more recent versions, bypassing your OS package manager (see https://certbot.eff.org/ on the certbot-auto script), if you want to try that, which might be interesting, but I don’t see a reason why the old software version would cause this particular behavior.


#8

Well, that did the trick. No more errors, and the renewal took a couple of minutes.

So the problem must be with the old version of certbot in the Ubuntu apt-repo.
I didn’t even know there was a ppa for certbot - going to upgrade on my other servers as well now :slight_smile:

Thank you! :slight_smile:


#9

I’m super-happy that it worked for you, though I’m still puzzled why updating fixed the problem, since I don’t think any previous bug that I’m aware of had this exact symptom!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.