New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Frequent "badNonce" errors #627
Comments
More debugging output:
I think checking for |
Retrying on Under the load Let's Encrypt experiences these days a nonce given to a client can end up rotated out/expired by the time the client tries to use it again if enough time has passed (e.g. because of waiting for secondary nameservers to synchronize, etc). It should be treated as a non-fatal error because its easy to get a fresh nonce :-) |
Yes: this is what I meant.
As an optimisation, would it make sense to simply not try the For testing, I tried forcibly setting |
I'd be wary of this since deciding on a value that works reliably might be tricky and could change over time. |
Hi, @cpu Thanks. |
@cpu Does the |
@ppaeps |
@ppaeps export BRANCH=nonce
acme.sh --upgrade Then you can issue cert, please make sure you see the error message. |
Thanks @Neilpang! The |
@ppaeps |
Yes I did. But I am seeing them less frequently today than yesterday, so perhaps the servers have become less busy. The requests succeeded after the first retries. |
@ppaeps Cool. I'm going to merge now. Thanks. |
Hi @Neilpang,
There isn't - the Boulder nonce implementation has a fixed size bucket of nonces. As new nonces are required the old ones will fall out and expire but the timing is based on the overall schedule of nonce requests and isn't a fixed timeout.
The Hope that helps clear things up, |
Hi @cpu Thank you. I understand now. We have added the retry logic. It seems working now. Thanks. |
Great! Glad to hear it. Thanks @Neilpang |
Similar issues seem to have been reported in other ACME clients and the suggestion appears to be "just retry a couple of times when you get a badNonce". Maybe acme.sh should just retry a few times too?
Steps to reproduce
acme.sh --issue -d example.com --dns dns_custom --dnssleep 600
I have verified that my dns_custom script correctly adds and removes the correct records from the DNS and that I can query the added records from the internet.
Debug log
The text was updated successfully, but these errors were encountered: