Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWS has no anti-replay nonce #559

FlorentCoppint opened this issue May 9, 2018 · 2 comments


Copy link

commented May 9, 2018


I use Dehydrated to deploy certificates in a private environment (local Boulder install).
I have no problem except today on a server which was already configured with 1 domain in domains.txt, I added a second one.
And Dehydrated throws me that error for this second domain :

INFO: Using main config file /etc/dehydrated/config


  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Jun 30 23:41:35 2018 GMT Certificate will not expire
    (Longer than 30 days). Skipping renew!
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting authorization for
  • ERROR: An error occurred while sending post-request to (Status 400)

HTTP/2 400
boulder-requester: 1005
cache-control: public, max-age=0, no-cache
content-type: application/problem+json
replay-nonce: Sl0aksakzPWJZN2Xtocr6o5Ybh6UIz1cF1vN5KyR9F8
content-length: 100
date: Wed, 09 May 2018 15:13:53 GMT

"type": "urn:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400

Do I hit a "bug" when first domain does not need renew and second one is new ?

Tell me which information do you need to debug this.

Boulder is up-to-date, and functional (signed certificates this morning) and I just upgraded dehydrated to 0.6.2 with same error.
Thank you.


This comment has been minimized.

Copy link

commented May 9, 2018

The only thing that changed on that server is Debian upgrade few days ago, from Jessie to Stretch. To you think that could be the problem ?


This comment has been minimized.

Copy link

commented May 9, 2018

I think I found the issue : since Stretch, curl is using HTTP/2 as you can see in headers.
And headers names are lower case. The expected header was "Replay-Nonce:" and it is now "replay-nonce:"
Maybe just adding "-i" to all grep commands solve the problem.

FlorentCoppint pushed a commit to FlorentCoppint/dehydrated that referenced this issue May 9, 2018
…e. So adding ignore case option (-i) to grep's.
@lukas2511 lukas2511 closed this in e4e712c May 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.