Closed grapevine2383 closed 7 years ago
Typically, when a DNS record is not visible immediately, the problem is not a TTL (which affects how long a record can be served by a caching recursive resolver), but the propagation time of the authoritative resolver. That is, some authoritative resolvers only load updated zone information once every five minutes, or even an hour (rarely). However, it's also common for authoritative resolvers to update zone information very rapidly, within seconds.
Besides that, the correct behavior for an ACME client is to retry badNonce errors with the nonce received with the error. Certbot recently implemented this behavior, which should hopefully solve your problem.
Thanks for the response, the client actually retries with the Replay-Nonce in the failed response but after retrying it still gives the same error. This is an issue usually when 6+ domains are specified per certificate.
Regarding DNS challenge verification, many DNS hosts have a minimum TTL of 1800 or even 14440 so the person has to wait that long in order to verify. But after waiting that long the ACME server returns the following error:
"type": "urn:acme:error:badNonce", "detail": "JWS has invalid anti-replay nonce.."
Is there any way to increase this timeout so a person can verify by DNS after waiting for the TTL?