Let's Encrypt AutoSSL Error: JWS has invalid anti-replay nonce

sharphostinguk

• March 04, 2017 23:35

I installed AutoSSL recently and am having trouble getting it to obtain certificates from Let's Encrypt. Running WHM 62.0 (build 16). Each day the logs for AutoSSL say it "will attempt to obtain a new certificate and install it" for each of host names in the account, and then "The system will attempt to renew SSL certificates for the following websites" with a list of all the sites below. There is then a delay of usually about an hour and a half. Then a message like the following comes back:
8:31:54 PM WARN (XID k7x2hn) The ACME function "https://acme-v01.api.letsencrypt.org/acme/new-cert" indicated an error: "JWS has invalid anti-replay nonce cVvpJQgH-XBky1Mp1IECcsEvZBvfIrtPpwDbAmDIYmY (The client sent an unacceptable anti-replay nonce)" (400, "Bad Request", urn:acme:error:badNonce).
Followed by "The system has completed the AutoSSL check". Can anyone please point me in the right direction to get this resolved? Thanks.

• 

  cPanelNick

  • March 05, 2017 21:50

  Hi sharphostinguk, Would you please open a ticket from WHM or cPanel Customer Portal and post the ticket # here. Thanks

  0
• 

  sharphostinguk

  • March 05, 2017 22:02

  Thanks for this. I am creating a ticket through WHM. I just need confirmation from the business owner regarding granting access to the server, and will complete the process once I have that (or don't).

  0
• 

  sharphostinguk

  • March 06, 2017 02:16

  I opened a ticket, the number is 8281797.

  0
• 

  cPanelNick

  • March 08, 2017 03:03

  We have a case open on this problem: case CPANEL-8495: Broken IPv6 routing can cause AutoSSL w/ Let's Encrypt to wait for IPv4 failover to kick in before loading (may present as JWS has invalid anti-replay nonce) The problem presents itself when a server has an IPv6 address but cannot reach Let's Encrypt over IPv6. The solution: [LIST]

  Ideally: fix whatever routing issue preventing the server from reaching Let's Encrypt over IPv6.

  If thats not possible, you can work around the routing problem by modifying gai.conf to lower the priority of IPv6.

  Alternatively, switch to the cPanel AutoSSL provider which does not suffer from this problem.

  0
• 

  sharphostinguk

  • March 08, 2017 18:52

  Thanks Nick, it's all been taken care of by the support techs and good to have this summary posted here too. The `gai.conf` fix was used in our case.

  0
• 

  Infopro

  • March 08, 2017 18:58

  Thanks for updating your thread with the outcome.

  0

Please sign in to leave a comment.