Wonder why acme.sh loops with wget returning 2 on nonce request


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.siimnet.dk

I ran below command and It produced this output:
[root@serv ~]# acme.sh --issue --webroot /var/www/html -d www.siimnet.dk -d serv.siimnet.dk --log acme-siimnet.log --log-level 3 --debug 2

[Sun Aug 12 15:37:44 CEST 2018] Lets find script dir.
[Sun Aug 12 15:37:44 CEST 2018] SCRIPT=’/root/.acme.sh/acme.sh’
[Sun Aug 12 15:37:44 CEST 2018] _script=’/root/.acme.sh/acme.sh’
[Sun Aug 12 15:37:44 CEST 2018] _script_home=’/root/.acme.sh’
[Sun Aug 12 15:37:44 CEST 2018] Using config home:/root/.acme.sh
[Sun Aug 12 15:37:44 CEST 2018] LE_WORKING_DIR=’/root/.acme.sh’


v2.8.0
[Sun Aug 12 15:37:44 CEST 2018] _main_domain=‘www.siimnet.dk’
[Sun Aug 12 15:37:44 CEST 2018] _alt_domains=‘serv.siimnet.dk’
[Sun Aug 12 15:37:44 CEST 2018] Using config home:/root/.acme.sh
[Sun Aug 12 15:37:44 CEST 2018] ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:44 CEST 2018] _ACME_SERVER_HOST=‘acme-v02.api.letsencrypt.org
[Sun Aug 12 15:37:44 CEST 2018] DOMAIN_PATH=’/root/.acme.sh/www.siimnet.dk’
[Sun Aug 12 15:37:44 CEST 2018] ‘/var/www/html’ does not contain ‘dns’
[Sun Aug 12 15:37:44 CEST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:44 CEST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:44 CEST 2018] GET
[Sun Aug 12 15:37:44 CEST 2018] url=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:44 CEST 2018] timeout=
[Sun Aug 12 15:37:44 CEST 2018] _WGET=‘wget -q -d ’
Setting --user-agent (useragent) to acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh)
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.12 on linux-gnu.
Caching acme-v02.api.letsencrypt.org => 23.78.50.200 2001:6c8:161:98::3a8e 2001:6c8:161:85::3a8e
Created socket 3.
Releasing 0x08b00550 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08b0c828
certificate:
subject: /CN=acme-v02.api.letsencrypt.org
issuer: /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
X509 certificate successfully verified and matches host acme-v02.api.letsencrypt.org
—request begin—
GET /directory HTTP/1.0
User-Agent: acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh)
Accept: /
Host: acme-v02.api.letsencrypt.org
Connection: Keep-Alive
—request end—
—response begin—
HTTP/1.0 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 12 Aug 2018 13:37:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 12 Aug 2018 13:37:44 GMT
Connection: keep-alive
—response end—
Registered socket 3 for persistent reuse.
[Sun Aug 12 15:37:45 CEST 2018] ret=‘0’
[Sun Aug 12 15:37:45 CEST 2018] response=’{
“ewtabrh3FF4”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}’
[Sun Aug 12 15:37:45 CEST 2018] ACME_KEY_CHANGE=‘https://acme-v02.api.letsencrypt.org/acme/key-change
[Sun Aug 12 15:37:45 CEST 2018] ACME_NEW_AUTHZ
[Sun Aug 12 15:37:45 CEST 2018] ACME_NEW_ORDER=‘https://acme-v02.api.letsencrypt.org/acme/new-order
[Sun Aug 12 15:37:45 CEST 2018] ACME_NEW_ACCOUNT=‘https://acme-v02.api.letsencrypt.org/acme/new-acct
[Sun Aug 12 15:37:45 CEST 2018] ACME_REVOKE_CERT=‘https://acme-v02.api.letsencrypt.org/acme/revoke-cert
[Sun Aug 12 15:37:45 CEST 2018] ACME_AGREEMENT=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
[Sun Aug 12 15:37:45 CEST 2018] ACME_NEW_NONCE=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Aug 12 15:37:45 CEST 2018] ACME_VERSION=‘2’
[Sun Aug 12 15:37:45 CEST 2018] _on_before_issue
[Sun Aug 12 15:37:45 CEST 2018] _chk_main_domain=‘www.siimnet.dk’
[Sun Aug 12 15:37:45 CEST 2018] _chk_alt_domains=‘serv.siimnet.dk’
[Sun Aug 12 15:37:45 CEST 2018] ‘/var/www/html’ does not contain ‘no’
[Sun Aug 12 15:37:45 CEST 2018] Le_LocalAddress
[Sun Aug 12 15:37:45 CEST 2018] d=‘www.siimnet.dk’
[Sun Aug 12 15:37:45 CEST 2018] Check for domain=‘www.siimnet.dk’
[Sun Aug 12 15:37:45 CEST 2018] _currentRoot=’/var/www/html’
[Sun Aug 12 15:37:46 CEST 2018] d=‘serv.siimnet.dk’
[Sun Aug 12 15:37:46 CEST 2018] Check for domain=‘serv.siimnet.dk’
[Sun Aug 12 15:37:46 CEST 2018] _currentRoot=’/var/www/html’
[Sun Aug 12 15:37:46 CEST 2018] d
[Sun Aug 12 15:37:46 CEST 2018] ‘/var/www/html’ does not contain ‘apache’
[Sun Aug 12 15:37:46 CEST 2018] _saved_account_key_hash=‘mvJ2HXdjrcEi0+3ODGqUTE3AOW0urM1nHv5uh87/PHM=’
[Sun Aug 12 15:37:46 CEST 2018] _saved_account_key_hash is not changed, skip register account.
[Sun Aug 12 15:37:46 CEST 2018] Read key length:
[Sun Aug 12 15:37:46 CEST 2018] Creating domain key
[Sun Aug 12 15:37:46 CEST 2018] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
[Sun Aug 12 15:37:46 CEST 2018] Using config home:/root/.acme.sh
[Sun Aug 12 15:37:46 CEST 2018] ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:46 CEST 2018] _ACME_SERVER_HOST=‘acme-v02.api.letsencrypt.org
[Sun Aug 12 15:37:46 CEST 2018] _createkey for file:/root/.acme.sh/www.siimnet.dk/www.siimnet.dk.key
[Sun Aug 12 15:37:46 CEST 2018] Use length 2048
[Sun Aug 12 15:37:46 CEST 2018] Using RSA: 2048
[Sun Aug 12 15:37:46 CEST 2018] The domain key is here: /root/.acme.sh/www.siimnet.dk/www.siimnet.dk.key
[Sun Aug 12 15:37:46 CEST 2018] _createcsr
[Sun Aug 12 15:37:46 CEST 2018] domain=‘www.siimnet.dk’
[Sun Aug 12 15:37:46 CEST 2018] domainlist=‘serv.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] csrkey=’/root/.acme.sh/www.siimnet.dk/www.siimnet.dk.key’
[Sun Aug 12 15:37:47 CEST 2018] csr=’/root/.acme.sh/www.siimnet.dk/www.siimnet.dk.csr’
[Sun Aug 12 15:37:47 CEST 2018] csrconf=’/root/.acme.sh/www.siimnet.dk/www.siimnet.dk.csr.conf’
[Sun Aug 12 15:37:47 CEST 2018] _is_idn_d=‘serv.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] _idn_temp
[Sun Aug 12 15:37:47 CEST 2018] domainlist=‘serv.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] Multi domain=‘DNS:www.siimnet.dk,DNS:serv.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] _is_idn_d=‘www.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] _idn_temp
[Sun Aug 12 15:37:47 CEST 2018] _csr_cn=‘www.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] Getting domain auth token for each domain
[Sun Aug 12 15:37:47 CEST 2018] d=‘serv.siimnet.dk’
[Sun Aug 12 15:37:47 CEST 2018] d
[Sun Aug 12 15:37:47 CEST 2018] _identifiers=’{“type”:“dns”,“value”:“www.siimnet.dk”},{“type”:“dns”,“value”:“serv.siimnet.dk”}’
[Sun Aug 12 15:37:47 CEST 2018] url=‘https://acme-v02.api.letsencrypt.org/acme/new-order
[Sun Aug 12 15:37:47 CEST 2018] payload=’{“identifiers”: [{“type”:“dns”,“value”:“www.siimnet.dk”},{“type”:“dns”,“value”:“serv.siimnet.dk”}]}’
[Sun Aug 12 15:37:47 CEST 2018] RSA key
[Sun Aug 12 15:37:47 CEST 2018] Get nonce. ACME_NEW_NONCE=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Aug 12 15:37:47 CEST 2018] HEAD
[Sun Aug 12 15:37:47 CEST 2018] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Aug 12 15:37:47 CEST 2018] body
[Sun Aug 12 15:37:47 CEST 2018] _postContentType=‘application/jose+json’
[Sun Aug 12 15:37:47 CEST 2018] _WGET='wget -q -d ’
[Sun Aug 12 15:37:47 CEST 2018] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 2
[Sun Aug 12 15:37:47 CEST 2018] options=‘s/^ *//g’
[Sun Aug 12 15:37:47 CEST 2018] Using sed -i
[Sun Aug 12 15:37:47 CEST 2018] _ret=‘2’
Usage: wget [OPTION]… [URL]…
Try ‘wget --help’ for more options.[Sun Aug 12 15:37:47 CEST 2018] Get nonce. ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:47 CEST 2018] GET
[Sun Aug 12 15:37:47 CEST 2018] url=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 12 15:37:47 CEST 2018] timeout=
[Sun Aug 12 15:37:47 CEST 2018] Http already initialized.
[Sun Aug 12 15:37:47 CEST 2018] _WGET='wget -q -d ’
[Sun Aug 12 15:37:47 CEST 2018] ret=‘0’
[Sun Aug 12 15:37:47 CEST 2018] _headers=‘Setting --user-agent (useragent) to acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh)
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --header (header) to
Setting --server-response (serverresponse) to 1
Setting --output-document (outputdocument) to /dev/null
DEBUG output created by Wget 1.12 on linux-gnu.
Caching acme-v02.api.letsencrypt.org => 23.78.50.200 2001:6c8:161:85::3a8e 2001:6c8:161:98::3a8e
Created socket 4.
Releasing 0x092e16d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x092ed9b0
certificate:
subject: /CN=acme-v02.api.letsencrypt.org
issuer: /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
X509 certificate successfully verified and matches host acme-v02.api.letsencrypt.org
—request begin—
GET /directory HTTP/1.0
User-Agent: acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh)
Accept: /
Host: acme-v02.api.letsencrypt.org
Connection: Keep-Alive
—request end—
—response begin—
HTTP/1.0 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 12 Aug 2018 13:37:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 12 Aug 2018 13:37:47 GMT
Connection: keep-alive
—response end—
HTTP/1.0 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 12 Aug 2018 13:37:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 12 Aug 2018 13:37:47 GMT
Connection: keep-alive
Registered socket 4 for persistent reuse.’
[Sun Aug 12 15:37:47 CEST 2018] _CACHED_NONCE
[Sun Aug 12 15:37:47 CEST 2018] nonce
[Sun Aug 12 15:37:47 CEST 2018] Could not get nonce, let’s try again.
[Sun Aug 12 15:37:50 CEST 2018] Get nonce. ACME_NEW_NONCE=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Aug 12 15:37:50 CEST 2018] HEAD
[Sun Aug 12 15:37:50 CEST 2018] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Aug 12 15:37:50 CEST 2018] body
[Sun Aug 12 15:37:50 CEST 2018] _postContentType=‘application/jose+json’
[Sun Aug 12 15:37:50 CEST 2018] Http already initialized.
[Sun Aug 12 15:37:51 CEST 2018] _WGET='wget -q -d ’
[Sun Aug 12 15:37:51 CEST 2018] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 2
[Sun Aug 12 15:37:51 CEST 2018] options=‘s/^ *//g’
[Sun Aug 12 15:37:51 CEST 2018] Using sed -i
[Sun Aug 12 15:37:51 CEST 2018] _ret=‘2’
Usage: wget [OPTION]… [URL]…

My web server is (include version): apache 2.2

The operating system my web server runs on is (include version): Linux 3.6.11-4.fc16.i686.PAE

My hosting provider, if applicable, is: private server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @stefws

I don’t use acme.sh. But I am curious about using the POST-method and the _postContentType=‘application/jose+json’ to get a new nonce.

A GET to the url

https://acme-v02.api.letsencrypt.org/acme/new-nonce

works. The http status is 204, NoContent, the nonce is sent as Replay-Nonce - Header.

Do you use the current version of acme.sh?

has

acme.sh - add more retry for badnonce error


#3

@JuergenAuer

I’m using acme.sh version 2.8.0 which is latest I assume…
the POST method is set by acme.sh and ought to work I assume…


#4

Curious. My own client (not published) uses only a simple GET, that works.

A return status 2:

Parse error — for instance, when parsing command-line options, the .wgetrc or .netrc…

But perhaps @Neilpang may help


#5

POSTing to that URL does give you a nonce, but it also gives you an error status code:

$ curl -v -X POST https://acme-v02.api.letsencrypt.org/acme/new-nonce
*   Trying 104.109.188.80...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (104.109.188.80) port 443 (#0)
[ snip TLS negotiation ]
*  SSL certificate verify ok.
> POST /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 103
< Allow: GET, HEAD
< Replay-Nonce: -fA6ltj7PjpPH2H-S6xk2bMnacB94tK_r7dIFYLuGSA
< Expires: Sun, 12 Aug 2018 20:55:10 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Sun, 12 Aug 2018 20:55:10 GMT
< Connection: close
<
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
* Curl_http_done: called premature == 0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

I’m not sure whether something on Let’s Encrypt’s end changed recently or something in acme.sh changed such that it is more strict about the status code here. At any rate, @neilpang should fix this. :slight_smile:


#6

POSTing to that URL does give you a nonce, but it also gives you an error status code

Based on ACME protocol, the new-nonce url only accept HEAD method to provide a nonce. Not POST method.


#7

[Sun Aug 12 15:37:47 CEST 2018] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 2

Your wget returns error code 2. why not open the error code page ?

https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html

2
Parse error—for instance, when parsing command-line options, the ‘.wgetrc’ or ‘.netrc’...

#8

Ah, the variables being called __post_url and _postContentType is what threw us off. I see now it really does do a HEAD request. Thanks for tracking down the real issue!


#9

@Neilpang sorry I’ve also read the return code page, only it doesn’t clue me as what to change to make it work as wget options are choosen by acme.sh. So please what do I need to do differently to issue a certificate?


#10

@Patches or anyone else - What would the really issue be if acme.sh really uses a HEAD req?


#11

Do you have a .wgetrc or .netrc file in your home directory? (Please note that you will need to show hidden files in your file manager or SFTP client or use ls -a to see these hidden files.)

Does wget work normally? e.g.

wget -O - https://acme-v02.api.letsencrypt.org/directory

#12

ls -la $HOME/.*etrc

ls: cannot access /root/.*etrc: No such file or directory

wget -qO - https://acme-v02.api.letsencrypt.org/directory

{
“TxFQGfvxvOQ”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert


#13

@Patches or anyone else any other hints to resolve this would be greatly appreciated!


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.