Error getting ACME certificates: urn:acme:error:badNonce - JWS has invalid anti-replay nonce

[yajo]

Do you want to request a feature or report a bug?

bug

What did you do?

Boot a container with these labels:

    labels:
        traefik.docker.network: "inverseproxy_shared"
        traefik.enable: "true"
        traefik.frontend.passHostHeader: "true"
        traefik.frontend.rule: "Host:gitlab.example.com}"
        traefik.port: "80"

What did you expect to see?

Traefik should complete the ACME request without any problems.

What did you see instead?

ACME request failed. Restarting the Traefik container makes it work fine, until a new exposed container is added.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.2.3
Codename:     morbier
Go version:   go1.7.5
Built:        2017-04-13_07:21:10PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

I use Traefik as an inverse proxy in a Docker (not Swarm) node.

Traefik is booted with this command from a docker-compose file, publishing ports 80 and 443:

command:
        - --ACME.ACMELogging
        - --ACME.Email=someemail@example.com
        - --ACME.EntryPoint=https
        - --ACME.OnHostRule
        - --ACME.Storage=/etc/traefik/acme/acme.json
        - --DefaultEntryPoints=http,https
        - --EntryPoints=Name:http Address::80 Redirect.EntryPoint:https
        - --EntryPoints=Name:https Address::443 TLS
        - --LogLevel=DEBUG
        - --Docker
        - --Docker.ExposedByDefault=false
        - --Docker.Watch

I guess that's the important part of it.

If applicable, please paste the log output in debug mode (--debug switch)

DEBU[2017-05-02T11:47:20Z] Docker event received {Status:health_status: healthy ID:a9749199f37a505b32fc776fdf65c96f50cecc7ce0e5d9011edc3b3c35c3436b From:gitlab/gitlab-ce Type:container Action:health_status: healthy Actor:{ID:a9749199f37a505b32fc776fdf65c96f50cecc7ce0e5d9011edc3b3c35c3436b Attributes:map[com.docker.compose.oneoff:False com.docker.compose.project:examplegitlab image:gitlab/gitlab-ce name:examplegitlab_gitlab_1 traefik.frontend.passHostHeader:true traefik.enable:true traefik.frontend.rule:Host:gitlab.example.com traefik.port:80 com.docker.compose.config-hash:7a12b6f5b7350181b8721fdd25d3f81f5fab38e8f959e3b3667e894d013e99fa com.docker.compose.container-number:1 com.docker.compose.service:gitlab com.docker.compose.version:1.12.0 traefik.docker.network:inverseproxy_shared]} Time:1493725640 TimeNano:1493725640730950152} 
DEBU[2017-05-02T11:47:20Z] Filtering container without port and no traefik.port label /examplegitlab_backup_1 
DEBU[2017-05-02T11:47:20Z] Filtering disabled container /examplegitlab_smtp_1 
DEBU[2017-05-02T11:47:20Z] Filtering disabled container /inverseproxy_proxy_1 
DEBU[2017-05-02T11:47:20Z] Filtering disabled container /inverseproxy_dockersocket_1 
WARN[2017-05-02T11:47:20Z] Could not find network named 'inverseproxy_shared' for container '/examplegitlab_gitlab_1'! Maybe you're missing the project's prefix in the label? Defaulting to first available network. 
DEBU[2017-05-02T11:47:20Z] Load balancer method '<nil>' for backend backend-examplegitlab-gitlab-1: Invalid method, using default. Using default wrr. 
DEBU[2017-05-02T11:47:20Z] Configuration received from provider docker: {"backends":{"backend-examplegitlab-gitlab-1":{"servers":{"server-examplegitlab_gitlab_1":{"url":"http://172.22.0.2:80","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-Host-gitlab-example-com":{"entryPoints":["http","https"],"backend":"backend-examplegitlab-gitlab-1","routes":{"route-frontend-Host-gitlab-example-com":{"rule":"Host:gitlab.example.com"}},"passHostHeader":true,"priority":0}}} 
DEBU[2017-05-02T11:47:20Z] Last docker config received more than 2s, OK 
DEBU[2017-05-02T11:47:20Z] Creating frontend frontend-Host-gitlab-example-com 
DEBU[2017-05-02T11:47:20Z] Wiring frontend frontend-Host-gitlab-example-com to entryPoint http 
DEBU[2017-05-02T11:47:20Z] Creating route route-frontend-Host-gitlab-example-com Host:gitlab.example.com 
DEBU[2017-05-02T11:47:20Z] Creating entryPoint redirect http -> https : ^(?:https?:\/\/)?([\w\._-]+)(?::\d+)?(.*)$ -> https://$1:443$2 
DEBU[2017-05-02T11:47:20Z] Creating backend backend-examplegitlab-gitlab-1 
DEBU[2017-05-02T11:47:20Z] Creating load-balancer wrr                   
DEBU[2017-05-02T11:47:20Z] Creating server server-examplegitlab_gitlab_1 at http://172.22.0.2:80 with weight 0 
DEBU[2017-05-02T11:47:20Z] Wiring frontend frontend-Host-gitlab-example-com to entryPoint https 
DEBU[2017-05-02T11:47:20Z] Creating route route-frontend-Host-gitlab-example-com Host:gitlab.example.com 
DEBU[2017-05-02T11:47:20Z] Creating backend backend-examplegitlab-gitlab-1 
DEBU[2017-05-02T11:47:20Z] Creating load-balancer wrr                   
DEBU[2017-05-02T11:47:20Z] Creating server server-examplegitlab_gitlab_1 at http://172.22.0.2:80 with weight 0 
INFO[2017-05-02T11:47:20Z] Server configuration reloaded on :80         
INFO[2017-05-02T11:47:20Z] Server configuration reloaded on :443        
DEBU[2017-05-02T11:47:20Z] LoadCertificateForDomains [gitlab.example.com]... 
DEBU[2017-05-02T11:47:20Z] Loading ACME certificates [gitlab.example.com]... legolog: 2017/05/02 11:47:20 [INFO][gitlab.example.com] acme: Obtaining bundled SAN certificate
ERRO[2017-05-02T11:47:21Z] map[gitlab.example.com:acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce 41n3094n1c04yrn01923ryn091237rync109237yrnc] 
ERRO[2017-05-02T11:47:21Z] Error getting ACME certificates [gitlab.example.com] : Cannot obtain certificates map[gitlab.example.com:acme: Error 400 - urn:acme:error:badNonce - JWS has invalid anti-replay nonce 41n3094n1c04yrn01923ryn091237rync109237yrnc]+v 

[emilevauge]

@yajo This bug should be fixed in v1.3.0-rc1, could you give us your feedback ?

[yajo]

rc1 gave me some errors with compression=on, but rc2 seemed to work fine for my tests.