acme clients not working, bad nonce

[DonOtuseGH]

Hello,

i tried to use certbot and uacme clients to get certificates from django-ca (latest docker image), but without success. Both clients report nonce issues...

certbot:
An unexpected error occurred: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

uacme:
uacme: acme_post: server rejected nonce, retrying

Any ideas, how to get this working?

[mathiasertl]

Hi @DonOtuseGH ,

I fear I need further information here to get to the bottom of this. I validated that ACME nonce processing is working in principle using the development guide, but of course, something might always be different in the real world.

• You say you use the Docker image. Are you really using that, or are you using docker-compose?
• If you use Docker, are you using as a shared cache? Djangos default in memory cache is not shared, so this could be one reason for the error.
• What command of certbot is failing - please post the full command~
• What version of certbot are you using?
• Can you run certbot with the --verbose flag? It should print the exact HTTP requests it does.
• does django-ca itself provide any output?

Looking forward to more information!

Thanks + kr, Mat

[mathiasertl]

Hi @DonOtuseGH , ping? Any further information?

[DonOtuseGH]

Hi @mathiasertl, sorry for the late reply, I'm a bit busy at the moment, but i'll try to collect the requested information tomorrow or the day after. BR

[DonOtuseGH]

Hi Mat,

i'd like to answer your questions...

• i use docker-compose with the template from here: https://raw.githubusercontent.com/mathiasertl/django-ca/main/docker-compose.yml and the following changes:

$ git diff docker-compose.yml
diff --git a/docker-compose.yml b/docker-compose.yml
index 25d8b5c..43a8f1e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: "3.9"
+version: "3.7"
 services:
     cache:
         image: redis:6-alpine
@@ -88,8 +88,7 @@ services:
         image: nginx:1.20-alpine
         command: /bin/sh -c "envsubst < /etc/nginx/conf.d/${NGINX_TEMPLATE:-default}.template > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"
         depends_on:
-            frontend:
-                condition: service_healthy
+            - frontend
         environment:
             NGINX_HOST: ${DJANGO_CA_CA_DEFAULT_HOSTNAME:-localhost}
             NGINX_PORT: ${NGINX_PORT:-80}

in addition i have the following overwrites:

$ cat <<'EOF'> docker-compose.override.yml
version: "3.7"
services:
    cache:
        volumes:
            - /etc/localtime:/etc/localtime:ro
    db:
        volumes:
            - /etc/localtime:/etc/localtime:ro
    backend:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ./localsettings.yaml:/usr/src/django-ca/ca/conf/compose/99-localsettings.yaml
            - ${PWD}/certs:/usr/src/django-ca/ca/certs
    frontend:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ./localsettings.yaml:/usr/src/django-ca/ca/conf/compose/99-localsettings.yaml
    webserver:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ${PWD}/webui/live/${DJANGO_CA_CA_DEFAULT_HOSTNAME}:/etc/certs/live/${DJANGO_CA_CA_DEFAULT_HOSTNAME}/
            - ${PWD}/webui/archive/${DJANGO_CA_CA_DEFAULT_HOSTNAME}:/etc/certs/archive/${DJANGO_CA_CA_DEFAULT_HOSTNAME}/
            - ${PWD}/dhparam.pem:/etc/nginx/dhparams/dhparam.pem
            - ${PWD}/acme/:/usr/share/django-ca/acme/
        ports:
            - 443:443
EOF

localsettings looks like so:

$ cat <<EOF> localsettings.yaml
CACHES:
  default:
    BACKEND: django.core.cache.backends.locmem.LocMemCache
TIME_ZONE: Europe/Berlin
LANGUAGE_CODE: de-DE
CA_DEFAULT_EXPIRES: 365
CA_DEFAULT_SUBJECT:
  C: DE
  L: Stuttgart
  O: ACME Corp.
  OU: Certificate Management
  ST: Baden-Wuerttemberg
CA_PROFILES:
  server_3y:
    description: A certificate for a webserver with 3 years validity time.
    expires: 1095
    extensions:
      extended_key_usage:
        critical: false
        value:
        - serverAuth
      key_usage:
        critical: true
        value:
        - digitalSignature
        - keyEncipherment
    subject: /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/OU=Lab
  # to disable pre-configured profiles set it to null
  #enduser: null
EOF

• Certbot Version

$ certbot --version
certbot 1.25.0

• Certbot command

$ REQUESTS_CA_BUNDLE=root_ca.crt certbot register --agree-tos -m foo@bar.com --server https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

• Certbot log

$ cat /var/log/letsencrypt/letsencrypt.log
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Arguments: ['--agree-tos', '-m', 'foo@bar.com', '--server', 'https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/', '-v']
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-05-25 15:29:52,399:DEBUG:certbot._internal.log:Root logging level set at 20
2022-05-25 15:29:52,463:DEBUG:acme.client:Sending GET request to https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/.
2022-05-25 15:29:52,465:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): certsuite-dev.lab:443
2022-05-25 15:29:52,487:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ HTTP/1.1" 200 608
2022-05-25 15:29:52,488:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/json
Content-Length: 608
Connection: keep-alive
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"QRTblkWQiAIlQYD94TP00Q": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://localhost:8000/django_ca/acme/todo/key-change", "newAccount": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/", "newNonce": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/", "newOrder": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-order/", "revokeCert": "http://localhost:8000/django_ca/acme/todo/revoke-cert"}
2022-05-25 15:29:52,488:DEBUG:acme.client:Requesting fresh nonce
2022-05-25 15:29:52,488:DEBUG:acme.client:Sending HEAD request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/.
2022-05-25 15:29:52,490:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0
2022-05-25 15:29:52,491:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
replay-nonce: vJs4kQBD6nYUuL7Zdq251Z3vpR7aKTr9x_D8CTKWIyc
cache-control: no-store
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block


2022-05-25 15:29:52,492:DEBUG:acme.client:Storing nonce: vJs4kQBD6nYUuL7Zdq251Z3vpR7aKTr9x_D8CTKWIyc
2022-05-25 15:29:52,492:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:foo@bar.com"\n  ],\n  "termsOfServiceAgreed": true\n}'
2022-05-25 15:29:52,496:DEBUG:acme.client:Sending POST request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInNyY2R5UzdjTjhJOEtISnZFOU82NGVnWjdCdktlOVZueWhmN3JCamRXMXBhQjNFLXk1VWUzbmxsWGpUdjRYcmNwcmIta0pLbG1ZWVpzeWNaWFl2Z0hNVnYwNDktc3dqQjIxX2k5SnBjcFRQcERZNVFQQk5xS2JoUjZnTVR2QU9Qd3JBZ0g3QktOcmhKN1p5LTRrNUtabGQtOU9IOWJ1clQtMC1CblhBeEdNREZzRVJvLUxHWEFQLWhKY0hodDFrUVZhQzZLZEJxQ2lyMEwxcV95YkZlRmQ5T2lzVXRzSThqUUk4dVQxcDNMYWhmM25RM25GSEhpb2NtbEFLSHlpZTJwdlg2Ulh1NmtYUElXdGc1REVYNHQzSWtDZmdhcnZwRmhsWWNEcXVqaXNOWUREdWFqVFVyNDhERUdJWkpJaVgzSGgtNlZ5WFVOenhlNXJHOFVjRnh3dyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAidkpzNGtRQkQ2bllVdUw3WmRxMjUxWjN2cFI3YUtUcjl4X0Q4Q1RLV0l5YyIsICJ1cmwiOiAiaHR0cHM6Ly9jZXJ0c3VpdGUtZGV2LmxhYi5ybmV0eC5jb20vZGphbmdvX2NhL2FjbWUvNzBERUU5NjlDMDY1RjQzMDIzQ0M4Q0ExODNFRDQyMTQwNkUzNzM1OC9uZXctYWNjb3VudC8ifQ",
  "signature": "f_xghq-GSh5pX7tuxvBZtdnE12y3G2e7W0xl37gJbJOu4tIFM4fABfrPnil4yDCXwJR04PExEPFO4f3JBKET0wmv5dA8whKCsIgxWkKRivX5TdQf7CSTV0xIUz8sAok7R39rUXN7CjDWsDvR6zabqHdhj5h_oVrXJLogM_NaRi8qKjnJXnRR9IJHax8UB6rwIxwVlRqgU3CiTvLjr0an5bkshq0n2QYdOgttqtz1fGFsQA6ZK4fx4zu7HBm0deLI1gfSM1mvHDX08S_5uf_stn2tfqycXSwE6fcJ4yolz2z7vBGL-6DYq4G_03jPfDXEMbXIihmTbjnMIO_GBUdSPw",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpmb29AYmFyLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2022-05-25 15:29:52,508:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97
2022-05-25 15:29:52,509:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: <https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/>;rel="index"
replay-nonce: 1kko5Anr7ghhHwwpJGj8jNptVz30vUIlFjzeuOOBDYY
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
2022-05-25 15:29:52,509:DEBUG:acme.client:Retrying request after error:
urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
2022-05-25 15:29:52,509:DEBUG:acme.client:Requesting fresh nonce
2022-05-25 15:29:52,509:DEBUG:acme.client:Sending HEAD request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/.
2022-05-25 15:29:52,511:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0
2022-05-25 15:29:52,512:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
replay-nonce: SULgxSVkrm85l7c0jP_HG4T7MbcsJ1OgKdDboQfHw8A
cache-control: no-store
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block


2022-05-25 15:29:52,513:DEBUG:acme.client:Storing nonce: SULgxSVkrm85l7c0jP_HG4T7MbcsJ1OgKdDboQfHw8A
2022-05-25 15:29:52,513:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:foo@bar.com"\n  ],\n  "termsOfServiceAgreed": true\n}'
2022-05-25 15:29:52,516:DEBUG:acme.client:Sending POST request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInNyY2R5UzdjTjhJOEtISnZFOU82NGVnWjdCdktlOVZueWhmN3JCamRXMXBhQjNFLXk1VWUzbmxsWGpUdjRYcmNwcmIta0pLbG1ZWVpzeWNaWFl2Z0hNVnYwNDktc3dqQjIxX2k5SnBjcFRQcERZNVFQQk5xS2JoUjZnTVR2QU9Qd3JBZ0g3QktOcmhKN1p5LTRrNUtabGQtOU9IOWJ1clQtMC1CblhBeEdNREZzRVJvLUxHWEFQLWhKY0hodDFrUVZhQzZLZEJxQ2lyMEwxcV95YkZlRmQ5T2lzVXRzSThqUUk4dVQxcDNMYWhmM25RM25GSEhpb2NtbEFLSHlpZTJwdlg2Ulh1NmtYUElXdGc1REVYNHQzSWtDZmdhcnZwRmhsWWNEcXVqaXNOWUREdWFqVFVyNDhERUdJWkpJaVgzSGgtNlZ5WFVOenhlNXJHOFVjRnh3dyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiU1VMZ3hTVmtybTg1bDdjMGpQX0hHNFQ3TWJjc0oxT2dLZERib1FmSHc4QSIsICJ1cmwiOiAiaHR0cHM6Ly9jZXJ0c3VpdGUtZGV2LmxhYi5ybmV0eC5jb20vZGphbmdvX2NhL2FjbWUvNzBERUU5NjlDMDY1RjQzMDIzQ0M4Q0ExODNFRDQyMTQwNkUzNzM1OC9uZXctYWNjb3VudC8ifQ",
  "signature": "l0t7c8qBGaRJ7V6GES_8pEiZ-0U-iaFtaOxfkYRT2cWHVFRDzG01Fa1CfG3jh58ZV4-7_aToE5x8E95lMK0Gu388dzBcv0UzeyL6YBJMA4ExJC4J6Iu38RJ40RBbSwO5n1f5jpGNxndjjRn1cmYu-Wl0Z-qc-zFjy2Xfx5QQ1GdkoJab9rn9ZQSMcgbV4D5B_W_QDWAPj6hJW5h4DdoCiT0_m_5tDeDyLzR-_Dec2hMfZseIEqp2LmrMa7Jfzssv-0gsbZcQjf1L0amDK9ysE6kbf-bbEO1jZjDIK18mDCCvPEVLp1Ky0DYmXYNRV7_APflBOPgVgFv9zrfMBlVIzQ",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpmb29AYmFyLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2022-05-25 15:29:52,533:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97
2022-05-25 15:29:52,533:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: <https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/>;rel="index"
replay-nonce: 0CMX3MTMuH0ZxGbXzsGwbBayhyOhhPQPtCCY3Xggtdk
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
2022-05-25 15:29:52,534:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1271, in post
    return self._post_once(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1285, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1131, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 888, in register
    _determine_account(config)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 724, in _determine_account
    acc, acme = client.register(
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/client.py", line 218, in register
    regr = perform_registration(acme, config, tos_cb)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/client.py", line 267, in perform_registration
    acme).new_account_and_tos(newreg, tos_cb)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 912, in new_account_and_tos
    return client_v2.new_account(regr)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 632, in new_account
    response = self._post(self.directory['newAccount'], new_account)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 103, in _post
    return self.net.post(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1275, in post
    return self._post_once(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1285, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1131, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
2022-05-25 15:29:52,536:ERROR:certbot._internal.log:An unexpected error occurred:
2022-05-25 15:29:52,537:ERROR:certbot._internal.log:The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

• django-ca log

frontend_1   | [pid: 27|app: 0|req: 171/255] 10.5.1.94 () {38 vars in 716 bytes} [Wed May 25 15:29:15 2022] GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ => generated 608 bytes in 9 msecs (HTTP/1.1 200) 4 headers in 143 bytes (1 switches on core 0)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ HTTP/1.1" 200 608 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 27|app: 0|req: 172/256] 10.5.1.94 () {38 vars in 717 bytes} [Wed May 25 15:29:15 2022] HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ => generated 0 bytes in 1 msecs (HTTP/1.1 200) 6 headers in 233 bytes (1 switches on core 1)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 23|app: 0|req: 18/257] 10.5.1.94 () {42 vars in 815 bytes} [Wed May 25 15:29:15 2022] POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ => generated 97 bytes in 9 msecs (HTTP/1.1 400) 6 headers in 342 bytes (1 switches on core 0)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 25|app: 0|req: 41/258] 10.5.1.94 () {38 vars in 717 bytes} [Wed May 25 15:29:15 2022] HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ => generated 0 bytes in 1 msecs (HTTP/1.1 200) 6 headers in 233 bytes (1 switches on core 1)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 21|app: 0|req: 28/259] 10.5.1.94 () {42 vars in 815 bytes} [Wed May 25 15:29:15 2022] POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ => generated 97 bytes in 9 msecs (HTTP/1.1 400) 6 headers in 342 bytes (1 switches on core 1)

[mathiasertl]

Hi @DonOtuseGH, thanks for the detailed report! I'm already trying to reproduce this. I'll come back if I have further questions!

What I can see from a first look is that the requests/responses are consistent with a client not sending the correct replay nonce. But then of course: Why would certbot not do that? I'm sure the issue is somehow, somewhere on the django-ca side.

Just out of curiosity - why remove the the service_healthy condition from docker-compose and why map in the localtime file. In each case, if it's a useful addition, It could be included of course.

kr, Mat

[mathiasertl]

Ah! NO WAIT! I found it. From your localsettings.yml file:

CACHES:
  default:
    BACKEND: django.core.cache.backends.locmem.LocMemCache

The docker-compose setup includes a Redis instance precisely because the application server needs a cache that is shared between all processes that serve requests. uWSGI starts four processes by default. Likely you hit different uWSGI processes for each request, but each request has a different, independent (read: local memory) cache.

Can you remove those lines and try again?

By the way: I'm also extremely annoyed by this, but: you "might" want to include the changes from a0f1490 in your docker-compose.yml file.

kr, Mat

[mathiasertl]

Closing this issue due to lack of further feedback. If you experience further issues, please don't hesitate to create a new issue or reopen this issue.