"JWS has an invalid anti-replay nonce" error with manual DNS update method

[ghost]

After upgrading Certify to 5.0.12 and trying to renew a certificate using the manual DNS update method, the renewal failed. The log showed: "2020-07-15 00:32:21.854 +02:00 [ERR] Could not begin certificate order: JWS has an invalid anti-replay nonce: "0102am4ALHiwyVOgtyyWoa4nP0OhhChVSqMyV6tUqDXOPy4""

Retrying the process two more times, it actually succeeded. This sounds related to #485 and from the looks at the error log, it seems as if Certify indeed doesn't attempt a retry upon the failure in this case.

Obfuscated full log attached: certify_log.txt

[webprofusion-chrisc]

Hi Stefan, you'll see in the log we do indeed make multiple retry attempts and that your request then proceeded as normal with a prompt for you to manually update DNS. So your request didn't fail?

As an aside, I really recommend against using Manual DNS as a way to renew certificates, it's incredibly error prone and only really suitable for testing or if you have no other choice. Have you looked again at any of the automated DNS providers or have you ever tried the acme-dns option?

[webprofusion-chrisc]

Anti-replay errors are initially most likely on paused/resumed orders but are also subject to behaviour of the LE API session balancing as well (if your request gets handled by another server I don't think replay tokens are shared).

[ghost]

To clarify: Two initial requests didn't succeed and looked like the first one in the logs:

2020-07-15 00:32:21.044 +02:00 [INF] ---- Beginning Request [XXXXXXXX] ---- 2020-07-15 00:32:21.051 +02:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 2020-07-15 00:32:21.051 +02:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/XXXXXXXXX 2020-07-15 00:32:21.854 +02:00 [ERR] Could not begin certificate order: JWS has an invalid anti-replay nonce: "0102am4ALHiwyVOgtyyWoa4nP0OhhChVSqMyV6tUqDXOPy4" 2020-07-15 00:32:21.854 +02:00 [INF] Could not complete authorization for domain with the Certificate Authority: [XXXXXXXX] Could not register domain identifier 2020-07-15 00:32:23.067 +02:00 [INF] Validation of the required challenges did not complete successfully. [XXXXXXXX] : 2020-07-15 00:32:23.068 +02:00 [INF] Validation of the required challenges did not complete successfully. [XXXXXXXX] : 2020-07-15 00:32:23.068 +02:00 [INF] Validation of the required challenges did not complete successfully. [XXXXXXXX] :

That output looked to me as if no attempts with a new/fresh nonce were retried; but maybe I just read the log the wrong way here?

After these failures, I hit the "Request Certificate" button again, and Certify startet a new request, asking for the manual step again. Verifying that the TXT entry was still the same, I hit "Request Certificate" again to continue the process and it finally worked at the 3rd-attempt (that's the final 'Begin request' section in the attached log).

Also I'd love to get rid of the manual DNS step. Unfortunately, our current provider (domaindiscount24.de) still doesn't seem to provide an automization for that. Eventually we might switch to another provider in the future to get rid of the manual step.

Related: After that first error, the UI only displayed a cryptic error message to me. If I recall correctly it just showed this error: "Validation of the required challenges did not complete successfully. [XXXXXXXX]: " The colon at the end suggested there should be additional details about what caused the error, but looked like that was missing. Only the log shed some light on where the problem resided.

[webprofusion-chrisc]

Thanks for the clarification. Regarding DNS validation support, I've been adding providers from the Posh-acme project and more niche DNS providers will probably come from there in the near future.

I really would recommend that you try out acme-dns though, even if just using the default server (hosted by the acme-dns author, who works for Let's Encrypt). You basically create a CNAME record that points to the acme-dns server and from then on your DNS txt record is automated.