forward-domain
forward-domain copied to clipboard
willnode
Issues seen in an AWS cloud deployment
Hi,
Thanks so much for authoring this project - it is incredibly useful and well put-together, and I've found a great amount of value in it overall.
I stood up an instance of this a few months ago in an ubuntu t2.medium instance on AWS. For the most part, it works, but I occasionally get this error:
Oct 02 17:31:42 ip-10-48-1-253 redirect[27253]: {
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at file:///home/ubuntu/forward-domain/src/sni.js:61:53
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at Client.generateCertificate (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:83:44)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at processTicksAndRejections (node:internal/process/task_queues:95:5)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at Client.newOrder (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:286:19)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: }
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "status": 400
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "detail": "JWS has an invalid anti-replay nonce: \"<edited-out>\"",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "type": "urn:ietf:params:acme:error:badNonce",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: Error: newOrder() Status Code: 400 Data: {
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at file:///home/ubuntu/forward-domain/src/sni.js:61:53
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at Client.generateCertificate (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:83:44)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at processTicksAndRejections (node:internal/process/task_queues:95:5)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: at Client.newOrder (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:286:19)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: }
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "status": 400
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "detail": "JWS has an invalid anti-replay nonce: \"<edited-out>\"",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: "type": "urn:ietf:params:acme:error:badNonce",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: Error: newOrder() Status Code: 400 Data: {
My server is run via systemd, service reproduced here
[Unit]
Description=Redirect proxy service
After=syslog.target network.target postgresql.service
[Service]
User=ubuntu
Type=simple
LimitNOFILE=4096
IgnoreSIGPIPE=false
KillMode=process
Environment=NVM_DIR=/home/ubuntu/.nvm
Environment=PATH=/home/ubuntu/.nvm/versions/node/v18.17.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
ExecStart=/home/ubuntu/.nvm/versions/node/v18.17.1/bin/pm2-runtime /home/ubuntu/forward-domain/app.js -i max
Restart=always
RestartSec=5s
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=redirect
[Install]
WantedBy=multi-user.target
Curious what I am doing wrong to have these errors? Occasionally, when adding new domains or using old ones, the redirect does not work. I've seen this error with CNAMEs and A records, but more consistently with A records - I actually can't get A records to work right now, which is why I'm making the issue in general!
Thank you very much for your time here, and thanks again for the fantastic app!
Hi,
From your error message, it quite seems like the request is modified by some proxies in AWS? I don't know because I use other cloud platforms and it just works fine. Let me leave this for a moment if someone else has this problem too.
After some reading, I think this is because the server is spawned in parallel. A common strategy to load balancing in a cloud environment, which is currently not supported. I think keep sticking to one VM and one static IP address is best.
https://community.letsencrypt.org/t/jws-has-invalid-anti-replay-nonce-status-400/84004/8