Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spurious bad-nonce replies from letsencrypt, cause repeated script fail #93

Open
lumieria opened this issue Oct 17, 2017 · 3 comments
Open

Spurious bad-nonce replies from letsencrypt, cause repeated script fail #93

lumieria opened this issue Oct 17, 2017 · 3 comments
Labels
on hold

Comments

@lumieria
Copy link

It seems that letsencrypt is prone to spuriously replying with a "Bad Nonce" error such as:

{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce qJFSreH91k9u1_1GBEpZk907cncjOI_HlZgiI2VNXoY",
  "status": 400
}

Based on my own research into the Let's Encrypt issue, their approach to solving this is to simply resubmit the request with the nonce returned in the error.

The sign_csr.py script, unfortunately fails instead. Here is a trace:

Traceback (most recent call last):
File "letsencrypt-nosudo/sign_csr.py", line 446, in
signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based)
File "letsencrypt-nosudo/sign_csr.py", line 341, in sign_csr
resp = urllib2.urlopen(test_url, test_data)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 437, in open
response = meth(req, response)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 550, in http_response
'http', request, response, code, msg, hdrs)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 475, in error
return self._call_chain(*args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 558, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 400: Bad Request

The bad nonce's are happening on average 1 in 5 trys. Unfortunately the script does quite a few requests, each of which may return a Bad Nonce error. So, it is virtually impossible (at least for me at the moment) to get all of the way through the script successfully. When the script fails, I have to start all over at the beginning, instead of being able to save the progress so far, and just resume at the next step.

Is there a way to save the partial successful results, and just retry the latest failed request?
@PurpleVsGreen
Copy link

Can confirm this, it happened to me on the first attempt.

@cassiniNMC
Copy link

The workaround is as follows:

as soon as you start the python script, everything has to be accomplished within one minute or so (I guess the nonce has a 60 seconds time-to-live).
If you are new to letsencrypt then first of all take your time and carefully read the instructions, then practice the steps without worrying about the timeout. Eventually you'll run into the badNonce error. Don't worry, you can repeat running the python script as often as you like until you feel confident doing all the command line inputs within a 60 secs timeframe.

@diafygi
Copy link
Owner

diafygi commented Mar 13, 2018

I will revisit better ways to reduce nonce timeouts when ACME v2 lands and I update the script to support that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
on hold
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@diafygi @cassiniNMC @PurpleVsGreen @lumieria