Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Confconsole Let's Encrypt - badNonce - JWS has no anti-replay nonce #1359
A recent update to Let's Encrypt has caused issues with older versions of Dehydrated (the Let's Encrypt client we use with Confconsole). And soon after, the v1 API was deprecated and only users with existing certificates can access the v1 API endpoint.
So there are a number of issues that have all occurred within a brief period of time. This post has got a bit messy, so I've completely rewritten it [Oct 18th 2019].
Setting up. These instructions should be run in a single shell session. If you run the separate steps at separate times or in separate shells, then you will need to re-run this first setup bit:
Now the actual steps to fix the issues:
If you wish to just run the script directly (rather than via confconsole), this should do the trick:
Hopefully you should now have a working certificate...!
Users with multiple domains should also be aware of #1360. It doesn't appear to cause problems when only one domain is used (and I've tested with 2 and it seemed ok). I plan to look into that a bit closer ASAP, but no ETA.
Users who have previously addressed this issue by updating Dehydrated via some other method can leave their system as is if they wish. Or alternatively, they can install the version from the stretch backports repo (as above; they should be roughly the same version). Note that if the package has been held, then the hold will need to be removed first. I.e.:
[Previous ramblings removed for clarity]
I just updated the OP to fix up some mistakes.
Also @thmai11 thanks for your post on the forums. Deepest apologies that I accidentally deleted your website user account
Hey @deutrino - If that previous workaround works for you, it should continue to work until mid next year (when the v1 API is completely shut down). I removed it though because it will only work for users who already have a cert. For users who don't yet have a cert, the above needs to be followed.
However, if you want to get ahead of the switch to the v2 API, then you can follow the (now clarified and consolidated) steps in the top post. The change you made to the dehydrated script will be overwritten by the new version (from backports), but the new version includes that fix.