The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Let's Encrypt AutoSSL Error: JWS has invalid anti-replay nonce

Discussion in 'Security' started by sharphostinguk, Mar 4, 2017.

  1. sharphostinguk

    Joined:
    Mar 4, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    I installed AutoSSL recently and am having trouble getting it to obtain certificates from Let's Encrypt. Running WHM 62.0 (build 16).

    Each day the logs for AutoSSL say it "will attempt to obtain a new certificate and install it" for each of host names in the account, and then "The system will attempt to renew SSL certificates for the following websites" with a list of all the sites below. There is then a delay of usually about an hour and a half. Then a message like the following comes back:

    Code:
    8:31:54 PM WARN (XID k7x2hn) The ACME function “https://acme-v01.api.letsencrypt.org/acme/new-cert” indicated an error: “JWS has invalid anti-replay nonce cVvpJQgH-XBky1Mp1IECcsEvZBvfIrtPpwDbAmDIYmY (The client sent an unacceptable anti-replay nonce)” (400, “Bad Request”, urn:acme:error:badNonce).
    Followed by "The system has completed the AutoSSL check".

    Can anyone please point me in the right direction to get this resolved?

    Thanks.
     
    #1 sharphostinguk, Mar 4, 2017
    Last edited by a moderator: Mar 5, 2017
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,451
    Likes Received:
    12
    Trophy Points:
    148
    cPanel Access Level:
    DataCenter Provider
  3. sharphostinguk

    Joined:
    Mar 4, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Thanks for this. I am creating a ticket through WHM. I just need confirmation from the business owner regarding granting access to the server, and will complete the process once I have that (or don't).
     
  4. sharphostinguk

    Joined:
    Mar 4, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    I opened a ticket, the number is 8281797.
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,451
    Likes Received:
    12
    Trophy Points:
    148
    cPanel Access Level:
    DataCenter Provider
    We have a case open on this problem:

    case CPANEL-8495: Broken IPv6 routing can cause AutoSSL w/ Let's Encrypt to wait for IPv4 failover to kick in before loading (may present as JWS has invalid anti-replay nonce)

    The problem presents itself when a server has an IPv6 address but cannot reach Let's Encrypt over IPv6.

    The solution:

    • Ideally: fix whatever routing issue preventing the server from reaching Let's Encrypt over IPv6.
    • If thats not possible, you can work around the routing problem by modifying gai.conf to lower the priority of IPv6.
    • Alternatively, switch to the cPanel AutoSSL provider which does not suffer from this problem.
     
  6. sharphostinguk

    Joined:
    Mar 4, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Thanks Nick, it's all been taken care of by the support techs and good to have this summary posted here too. The `gai.conf` fix was used in our case.
     
    Infopro likes this.
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,619
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for updating your thread with the outcome.
     
Loading...

Share This Page