starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

JWS has no anti-replay nonce #348

New Issue
Closed
opened 2025-12-29 01:23:29 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:23:29 +01:00
Owner
Copy Link

Originally created by @FlorentCoppint on GitHub (May 9, 2018).

Hi,

I use Dehydrated to deploy certificates in a private environment (local Boulder install).
I have no problem except today on a server which was already configured with 1 domain in domains.txt, I added a second one.
And Dehydrated throws me that error for this second domain :

INFO: Using main config file /etc/dehydrated/config

Processing git2.priv.company.net

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Jun 30 23:41:35 2018 GMT Certificate will not expire
    (Longer than 30 days). Skipping renew!
    Processing docker.priv.company.net
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting authorization for docker.priv.company.net...
  • ERROR: An error occurred while sending post-request to https://acme-v01.api.priv.company.net/acme/new-authz (Status 400)

Details:
HTTP/2 400
boulder-requester: 1005
cache-control: public, max-age=0, no-cache
content-type: application/problem+json
replay-nonce: Sl0aksakzPWJZN2Xtocr6o5Ybh6UIz1cF1vN5KyR9F8
content-length: 100
date: Wed, 09 May 2018 15:13:53 GMT

{
"type": "urn:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}

Do I hit a "bug" when first domain does not need renew and second one is new ?

Tell me which information do you need to debug this.

Boulder is up-to-date, and functional (signed certificates this morning) and I just upgraded dehydrated to 0.6.2 with same error.
Thank you.

Originally created by @FlorentCoppint on GitHub (May 9, 2018). Hi, I use Dehydrated to deploy certificates in a private environment (local Boulder install). I have no problem except today on a server which was already configured with 1 domain in domains.txt, I added a second one. And Dehydrated throws me that error for this second domain : > # INFO: Using main config file /etc/dehydrated/config > Processing git2.priv.company.net > + Checking domain name(s) of existing cert... unchanged. > + Checking expire date of existing cert... > + Valid till Jun 30 23:41:35 2018 GMT Certificate will not expire > (Longer than 30 days). Skipping renew! > Processing docker.priv.company.net > + Signing domains... > + Generating private key... > + Generating signing request... > + Requesting authorization for docker.priv.company.net... > + ERROR: An error occurred while sending post-request to https://acme-v01.api.priv.company.net/acme/new-authz (Status 400) > > Details: > HTTP/2 400 > boulder-requester: 1005 > cache-control: public, max-age=0, no-cache > content-type: application/problem+json > replay-nonce: Sl0aksakzPWJZN2Xtocr6o5Ybh6UIz1cF1vN5KyR9F8 > content-length: 100 > date: Wed, 09 May 2018 15:13:53 GMT > > { > "type": "urn:acme:error:badNonce", > "detail": "JWS has no anti-replay nonce", > "status": 400 > } > Do I hit a "bug" when first domain does not need renew and second one is new ? Tell me which information do you need to debug this. Boulder is up-to-date, and functional (signed certificates this morning) and I just upgraded dehydrated to 0.6.2 with same error. Thank you.
adam closed this issue 2025-12-29 01:23:30 +01:00
adam commented 2025-12-29 01:23:30 +01:00
Author
Owner
Copy Link

@FlorentCoppint commented on GitHub (May 9, 2018):

The only thing that changed on that server is Debian upgrade few days ago, from Jessie to Stretch. To you think that could be the problem ?

@FlorentCoppint commented on GitHub (May 9, 2018): The only thing that changed on that server is Debian upgrade few days ago, from Jessie to Stretch. To you think that could be the problem ?
adam commented 2025-12-29 01:23:31 +01:00
Author
Owner
Copy Link

@FlorentCoppint commented on GitHub (May 9, 2018):

I think I found the issue : since Stretch, curl is using HTTP/2 as you can see in headers.
And headers names are lower case. The expected header was "Replay-Nonce:" and it is now "replay-nonce:"
Maybe just adding "-i" to all grep commands solve the problem.

@FlorentCoppint commented on GitHub (May 9, 2018): I think I found the issue : since Stretch, curl is using HTTP/2 as you can see in headers. And headers names are lower case. The expected header was "Replay-Nonce:" and it is now "replay-nonce:" Maybe just adding "-i" to all grep commands solve the problem.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#348
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?