action #166976
closeddehydrated error on o3: "JWS has no anti-replay nonce"
0%
Description
The cron daemon reported a error during the renewal of the TLS certificates on o3
+ ERROR: An error occurred while sending head-request to https://acme-v02.api.letsencrypt.org/acme/new-nonce (Status 503)
Details:
HTTP/2 503
server: nginx
date: Wed, 18 Sep 2024 00:00:02 GMT
content-type: application/problem+json
content-length: 90
cache-control: private
retry-after: 7
/usr/bin/dehydrated: line 737: 1: unbound variable
+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)
Details:
HTTP/2 400
server: nginx
date: Wed, 18 Sep 2024 00:00:03 GMT
content-type: application/problem+json
content-length: 112
boulder-requester: 1199940347
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: UAMvsxnwPbq16itgZ7VH3R4fO4kHnh40eCxwKxESWNNkcphNDPE
{
"type": "urn:ietf:params:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}
/usr/bin/dehydrated: line 737: 1: unbound variable
Processing openqa.opensuse.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Oct 17 23:00:12 2024 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
Updated by tinita 3 months ago ยท Edited
- Subject changed from Unbound variable error while requesting letsencrypt certificate on o3 to dehydrated error on o3: "JWS has no anti-replay nonce"
Possibly something that can happen sporadically and was fixed with a retry in dehydrated 7.1:
- https://community.letsencrypt.org/t/curl-returned-with-35/221450/3
- https://github.com/dehydrated-io/dehydrated/releases/tag/v0.7.1 We have 7.0 and might have to live with such sporadic failures.
The "unbound variable" is misleading and seems to come from calling _exiterr without an argument at the end of http_request(). Might be worth a bug report. edit: that was also already fixed: https://github.com/dehydrated-io/dehydrated/commit/26660e11c742aa8c52dd4f1093e0148e33aee2f5
Updated by nicksinger 3 months ago
- Status changed from New to Resolved
- Assignee set to nicksinger
I've created an upstream bug to request a new version: https://bugzilla.suse.com/show_bug.cgi?id=1230863
Since this was the only time we encountered the issue and 503 indicates a problem on the remote side, I think we can close this. If this now happens more often we can think about implementing a workaround.