An ACME server provides nonces to clients using the HTTP Replay-Nonce
header field, as specified in [Section 6.5.1](https://datatracker.ietf.org/doc/html/rfc8555#section-6.5.1). The server MUST include
a Replay-Nonce header field in every successful response to a POST request and SHOULD provide it in error responses as well.
a2c does not add a nonce in case of error-responses but invalidates the existing nonce. Thus Posh-ACME re-uses the formerly sent nonce which leads into a replay-protection error in a2c.
grindsa
commented
1 year ago
Testing with Posh-ACME indicated a bug in a2c nonce-handling
RFC 8555 section 6.5 states.
a2c does not add a nonce in case of error-responses but invalidates the existing nonce. Thus Posh-ACME re-uses the formerly sent nonce which leads into a replay-protection error in a2c.