acme-nosudo icon indicating copy to clipboard operation
acme-nosudo copied to clipboard

Published 20 hours ago verified publisher icon diafygi

Spurious bad-nonce replies from letsencrypt, cause repeated script fail

Open lumieria opened this issue 7 years ago • 3 comments

It seems that letsencrypt is prone to spuriously replying with a "Bad Nonce" error such as:

{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce qJFSreH91k9u1_1GBEpZk907cncjOI_HlZgiI2VNXoY",
  "status": 400
}

Based on my own research into the Let's Encrypt issue, their approach to solving this is to simply resubmit the request with the nonce returned in the error.

The sign_csr.py script, unfortunately fails instead. Here is a trace:

Traceback (most recent call last): File "letsencrypt-nosudo/sign_csr.py", line 446, in signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based) File "letsencrypt-nosudo/sign_csr.py", line 341, in sign_csr resp = urllib2.urlopen(test_url, test_data) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) urllib2.HTTPError: HTTP Error 400: Bad Request

The bad nonce's are happening on average 1 in 5 trys. Unfortunately the script does quite a few requests, each of which may return a Bad Nonce error. So, it is virtually impossible (at least for me at the moment) to get all of the way through the script successfully. When the script fails, I have to start all over at the beginning, instead of being able to save the progress so far, and just resume at the next step.

Is there a way to save the partial successful results, and just retry the latest failed request?

lumieria avatar Oct 17 '17 22:10 lumieria

Can confirm this, it happened to me on the first attempt.

PurpleVsGreen avatar Oct 30 '17 13:10 PurpleVsGreen

The workaround is as follows:

as soon as you start the python script, everything has to be accomplished within one minute or so (I guess the nonce has a 60 seconds time-to-live). If you are new to letsencrypt then first of all take your time and carefully read the instructions, then practice the steps without worrying about the timeout. Eventually you'll run into the badNonce error. Don't worry, you can repeat running the python script as often as you like until you feel confident doing all the command line inputs within a 60 secs timeframe.

cassiniNMC avatar Dec 30 '17 00:12 cassiniNMC

I will revisit better ways to reduce nonce timeouts when ACME v2 lands and I update the script to support that.

diafygi avatar Mar 13 '18 14:03 diafygi