dehydrated: JWS has invalid anti-replay nonce

I’m getting this error with increasing frequency. The response looks something like:-

{"type":"urn:acme:error:badNonce","detail":"JWS has invalid anti-replay nonce **NONCE**","status":400}

The only “fix” appears to be re-running dehydrated, sometimes several times, until it succeeds.

In https://github.com/diafygi/gethttpsforfree/issues/150#issuecomment-380361381 they suggest that “nonce timeouts are becoming more common”. I assume that’s what I’m seeing here too?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 40 (8 by maintainers)

Most upvoted comments

FWIW, I encountered “JWS has no anti-replay nonce” today. Eventually stumbled upon this thread, and solved the issue on my machine by adding CURL_OPTS="--http1.1" to my dehydrated config file.

+4
timdev on Oct 21, 2019

Just to chime in, as I encountered this issue on a completely unrelated system and Googling brought me here.

This issue is essentially caused by LE being unable to get the ACME challenge from the specified domain name. It’s clearly not as simple as DNS not being set up correctly, as it’s more nuanced than this.

A lot of the people in this thread have found out that when you have multiple IP addresses, they don’t always route to the same endpoint. Likewise if you’re on a shared IP of any kind, there’s no way to guarantee that you’ll get the right host either. This is why a lot of people setting IP_VERSION=6 or IP_VERSION=4 “fixes” the issue, it’s simply removing the “other” IP Addresses. Essentially, it boils down to your local configuration/network/setup and that’s why there’s no single thing that will “fix” it.

In my case, IP addresses weren’t the issue but rather a redirect was redirecting .well-known incorrectly, causing it to return a 200 with content, just not the content of the ACME challenge - hence “bad nonce”. Had it returned a 404, you’d have got the much more useful error that contains the link to the renewal failure report.

I was able to figure this out by simply trying to navigate to <my-site>.com/.well-known/acme-challenge/<nonce> - it should return the nonce directly and not anything else.

To sum up, if you’re getting this error:

  • Check how many IP addresses you have and ensure they all route to the same place
  • Ensure you’re not using a shared IP address
  • Ensure you haven’t got any redirects affecting .well-known
  • Make sure you can do a GET on the .well-known/acme-config/<nonce> from external sources
+2
neoKushan on Oct 30, 2018

I had this issue today on a certificate with 6 alternative names: it was failing randomly on one of them.

After talking about it on irc with @lukas2511 and reading this thread, setting IP_VERSION=6 did indeed fix the issue for me. The server in question has 2 IPv4 addresses and 1 IPv6 address, but never had the issue before.

Checking with curl https://my-ipv4.kurz.pw, I always see the same IPv4 address, so I don’t think it flickers.

I’ll try to test that by creating a certificate with a lot of alternative name and run tcpdump to capture the result and see what exactly is going on.

+2
AceSlash on Jun 6, 2018

I was having this same problem today and found that setting IP_VERSION=4 fixed the issue. My laptop has an IPv4 and IPv6 address.

+1
major on Jun 12, 2018
Read more comments on GitHub
← dehydrated: Incorrect TXT record with wildcard and non-wildcard in the same cert
containerd-wasm-shims: error exporting image / operating system is not supported with deployments/k3d →