Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWS has no anti-replay nonce #559

Closed
FlorentCoppint opened this issue May 9, 2018 · 2 comments

Comments

@FlorentCoppint
Copy link

commented May 9, 2018

Hi,

I use Dehydrated to deploy certificates in a private environment (local Boulder install).
I have no problem except today on a server which was already configured with 1 domain in domains.txt, I added a second one.
And Dehydrated throws me that error for this second domain :

INFO: Using main config file /etc/dehydrated/config

Processing git2.priv.company.net

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Jun 30 23:41:35 2018 GMT Certificate will not expire
    (Longer than 30 days). Skipping renew!
    Processing docker.priv.company.net
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting authorization for docker.priv.company.net...
  • ERROR: An error occurred while sending post-request to https://acme-v01.api.priv.company.net/acme/new-authz (Status 400)

Details:
HTTP/2 400
boulder-requester: 1005
cache-control: public, max-age=0, no-cache
content-type: application/problem+json
replay-nonce: Sl0aksakzPWJZN2Xtocr6o5Ybh6UIz1cF1vN5KyR9F8
content-length: 100
date: Wed, 09 May 2018 15:13:53 GMT

{
"type": "urn:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}

Do I hit a "bug" when first domain does not need renew and second one is new ?

Tell me which information do you need to debug this.

Boulder is up-to-date, and functional (signed certificates this morning) and I just upgraded dehydrated to 0.6.2 with same error.
Thank you.

@FlorentCoppint

This comment has been minimized.

Copy link
Author

commented May 9, 2018

The only thing that changed on that server is Debian upgrade few days ago, from Jessie to Stretch. To you think that could be the problem ?

@FlorentCoppint

This comment has been minimized.

Copy link
Author

commented May 9, 2018

I think I found the issue : since Stretch, curl is using HTTP/2 as you can see in headers.
And headers names are lower case. The expected header was "Replay-Nonce:" and it is now "replay-nonce:"
Maybe just adding "-i" to all grep commands solve the problem.

FlorentCoppint pushed a commit to FlorentCoppint/dehydrated that referenced this issue May 9, 2018
…e. So adding ignore case option (-i) to grep's.
@lukas2511 lukas2511 closed this in e4e712c May 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.