JWS has no anti-replay nonce

[FlorentCoppint]

Hi,

I use Dehydrated to deploy certificates in a private environment (local Boulder install).
I have no problem except today on a server which was already configured with 1 domain in domains.txt, I added a second one.
And Dehydrated throws me that error for this second domain :

INFO: Using main config file /etc/dehydrated/config

Processing git2.priv.company.net

• Checking domain name(s) of existing cert... unchanged.
• Checking expire date of existing cert...
• Valid till Jun 30 23:41:35 2018 GMT Certificate will not expire
  (Longer than 30 days). Skipping renew!
  Processing docker.priv.company.net
• Signing domains...
• Generating private key...
• Generating signing request...
• Requesting authorization for docker.priv.company.net...
• ERROR: An error occurred while sending post-request to https://acme-v01.api.priv.company.net/acme/new-authz (Status 400)

Details:
HTTP/2 400
boulder-requester: 1005
cache-control: public, max-age=0, no-cache
content-type: application/problem+json
replay-nonce: Sl0aksakzPWJZN2Xtocr6o5Ybh6UIz1cF1vN5KyR9F8
content-length: 100
date: Wed, 09 May 2018 15:13:53 GMT

{
"type": "urn:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}

Do I hit a "bug" when first domain does not need renew and second one is new ?

Tell me which information do you need to debug this.

Boulder is up-to-date, and functional (signed certificates this morning) and I just upgraded dehydrated to 0.6.2 with same error.
Thank you.

[FlorentCoppint]

The only thing that changed on that server is Debian upgrade few days ago, from Jessie to Stretch. To you think that could be the problem ?

[FlorentCoppint]

I think I found the issue : since Stretch, curl is using HTTP/2 as you can see in headers.
And headers names are lower case. The expected header was "Replay-Nonce:" and it is now "replay-nonce:"
Maybe just adding "-i" to all grep commands solve the problem.