JWS has invalid anti-replay nonce

[jfisbein]

I tried to use the docker version of lego to create my certificates.

I executed this command:
(altered gandi key and changed domain for privacy)

docker run .-name lego -v /root/lego:/.lego --env "GANDI_API_KEY=xxxxxxxxxxxxxxxx" xenolf/lego --domains joan.mydomain.com --domains git.mydomain.com --domains joan-dyn.mydomain.com \
--email joan@mydomain.com --accept-tos --dns gandi --dns-resolvers a.dns.gandi.net run

And after the dns validation I get the error:
acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce

you can see the full log here:

2017/01/09 16:04:04 No key found for account joan@mydomain.com. Generating a curve P384 EC key.
2017/01/09 16:04:04 Saved key to /.lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com/keys/joan@mydomain.com.key
2017/01/09 16:04:05 [INFO] acme: Registering account for joan@mydomain.com
2017/01/09 16:04:05 !!!! HEADS UP !!!!
2017/01/09 16:04:05 
		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/.lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.
2017/01/09 16:04:06 [INFO][joan.mydomain.com, git.mydomain.com, joan-dyn.mydomain.com] acme: Obtaining bundled SAN certificate
2017/01/09 16:04:06 [INFO][joan.mydomain.com] acme: Could not find solver for: http-01
2017/01/09 16:04:06 [INFO][joan.mydomain.com] acme: Trying to solve DNS-01
2017/01/09 16:04:09 [INFO][joan.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]
2017/01/09 16:33:21 [INFO][git.mydomain.com] acme: Could not find solver for: tls-sni-01
2017/01/09 16:33:21 [INFO][git.mydomain.com] acme: Trying to solve DNS-01
2017/01/09 16:33:24 [INFO][git.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]
2017/01/09 16:52:31 [INFO][joan-dyn.mydomain.com] acme: Trying to solve DNS-01
2017/01/09 16:52:33 [INFO][joan-dyn.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]
2017/01/09 17:12:43 [joan.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce Q45ZF6Kli9e0N1LV2ixN9LXOJviiqx7x9We2xcWHV7I
2017/01/09 17:12:43 [git.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce KdxphctucBc_y701CUjLwcalb_Go_WvcTZZj7tretw0
2017/01/09 17:12:43 [joan-dyn.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce Z2b8Dw-khDYRUiTST_hyGENQVvH7W3Qcih6ZQ304jog

When I run the same command against letsencrypt staging serverc (adding --server=https://acme-staging.api.letsencrypt.org/directory) I don't get this error and the certificates are generated flawlessly.

I'm doing something wrong?
What can I do to make it work?

Thanks!

[systrace66]

Same issue here with FreeBSD 10.3 (build with go get -u github.com/xenolf/lego) with same command

/usr/local/lego/lego --email="XXXX@XXXXXX" --domains="XXXXXXX" --dns="gandi" --dns-resolvers a.dns.gandi.net:53 run

Get the same error:

acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce

Gandi's API are working fine : correct TXT record entry recorded

Running without problem against staging server

Regards

[mholt]

This usually happens when you attempt to use an account from one ACME CA on another ACME CA. For example, if you use a staging endpoint account on the production endpoint (or vice-versa), you will get this error.

So, make sure you are using the proper account. If it does not work after you confirm that you are using the right account for the endpoint, then feel free to re-open!

[jfisbein]

@mholt I just retried deleting the accounts folder and I get the same error.
These are my steps:

renaming lego folder to force the creation of a new account:

# ls
lego

# mv lego lego.bak

# ls
lego.bak

---

Running lego in a docker container:

docker run --name lego -v /root/lego:/.lego --env "GANDI_API_KEY=xxxxxxxxxxxxxxxxxxxxx" \
xenolf/lego \
--domains joan.mydomain.com --domains git.mydomain.com --domains joan-dyn.mydomain.com \
--email joan@mydomain.com \
--accept-tos \
--dns gandi \
--dns-resolvers a.dns.gandi.net \
--pem \
run

---

Log:

2017/01/15 08:04:09 No key found for account joan@mydomain.com. Generating a curve P384 EC key.
2017/01/15 08:04:09 Saved key to /.lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com/keys/joan@mydomain.com.key
2017/01/15 08:04:09 [INFO] acme: Registering account for joan@mydomain.com
2017/01/15 08:04:10 !!!! HEADS UP !!!!
2017/01/15 08:04:10 
		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/.lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.
2017/01/15 08:04:10 [INFO][joan.mydomain.com, git.mydomain.com, joan-dyn.mydomain.com] acme: Obtaining bundled SAN certificate
2017/01/15 08:04:11 [INFO][joan.mydomain.com] acme: Could not find solver for: http-01
2017/01/15 08:04:11 [INFO][joan.mydomain.com] acme: Trying to solve DNS-01
2017/01/15 08:04:13 [INFO][joan.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]

2017/01/15 08:32:24 [INFO][git.mydomain.com] acme: Could not find solver for: http-01
2017/01/15 08:32:24 [INFO][git.mydomain.com] acme: Trying to solve DNS-01
2017/01/15 08:32:26 [INFO][git.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]

2017/01/15 08:52:44 [INFO][joan-dyn.mydomain.com] acme: Could not find solver for: tls-sni-01
2017/01/15 08:52:44 [INFO][joan-dyn.mydomain.com] acme: Could not find solver for: http-01
2017/01/15 08:52:44 [INFO][joan-dyn.mydomain.com] acme: Trying to solve DNS-01
2017/01/15 08:52:47 [INFO][joan-dyn.mydomain.com] Checking DNS record propagation using [a.dns.gandi.net:53]

2017/01/15 09:12:55 [joan.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce 1YZVnCKX3YalPyxpxwN-5yK2BZgqthgv4-H-nZKMei8
2017/01/15 09:12:55 [git.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce 3pnteaBvJuEK1VqwO5DnPQ9RX8Ae0jZsrIClWHJKW78
2017/01/15 09:12:55 [joan-dyn.mydomain.com] Could not obtain certificates
	acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce ui5F5bX4Li7AlzpPx8oWMa_BUdSq5K3YD9lApEvVbBs

---

final lego folder content:

find lego
lego
lego/accounts
lego/accounts/acme-v01.api.letsencrypt.org
lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com
lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com/keys
lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com/keys/joan@mydomain.com.key
lego/accounts/acme-v01.api.letsencrypt.org/joan@mydomain.com/account.json

Everything looks like production letsencrytp environment, no trace of staging environement.

Surely I'm doing something wrong, but I'm not able to find what

[jfisbein]

Can, please, someone with the right privileges re-open the issue?
@mholt

[systrace66]

Same issue here:

I'm hitting the same problem with OpenBSD 6.0 for 2 different domains (without hitting the rate limit from Letsencrypt)

Regards

[xenolf]

I am getting reports of this issue from multiple people at this point. But I really can't point my finger at anything which would cause this. We are not re-using nonces, we are getting them fresh on every invocation of lego and we are not persisting them anywhere...

[jfisbein]

Can I execute the application with some debug enabled to help you find the cause?

…

On Sun, Jan 15, 2017, 14:55 xenolf ***@***.***> wrote: I am getting reports of this issue from multiple people at this point. But I really can't point my finger at anything which would cause this. We are not re-using nonces, we are getting them fresh on every invocation of lego and we are not persisting them anywhere... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#339 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAQotYnHBwMBVn1LCGtp9670DW6Er3XSks5rSiVhgaJpZM4Legv_> .

[mholt]

@jfisbein Perhaps some logf()s (like log.Println()) would be useful in these functions: https://github.com/xenolf/lego/blob/ce8fb060cb8361a9ff8b5fb7c2347fa907b6fcac/acme/jws.go#L81-L115

[nonobzh]

I am facing the same problem to get a certificate using the dns method with Gandi.
It is working correctly with staging server.

It looks like this problem was fixed in certbot by retrying when getting this error:
certbot/certbot#4099
certbot/certbot#4113

[xenolf]

I will implement this over the weekend (retrying on nonce error).

[systrace66]

Hello everybody,

Some news about this issue ?

[xenolf]

@systrace66 I'm sorry, work scored a critcal hit on my spare time :) I will finish it asap.

[systrace66]

@xenolf Not a problem :) Can we do some test or should we wait ?

[jfisbein]

Are you going to create a new release with this fix?