SOLVED Let's Encrypt AutoSSL Error: JWS has invalid anti-replay nonce

sharphostinguk · Mar 4, 2017

I installed AutoSSL recently and am having trouble getting it to obtain certificates from Let's Encrypt. Running WHM 62.0 (build 16).

Each day the logs for AutoSSL say it "will attempt to obtain a new certificate and install it" for each of host names in the account, and then "The system will attempt to renew SSL certificates for the following websites" with a list of all the sites below. There is then a delay of usually about an hour and a half. Then a message like the following comes back:

Code:

8:31:54 PM WARN (XID k7x2hn) The ACME function “https://acme-v01.api.letsencrypt.org/acme/new-cert” indicated an error: “JWS has invalid anti-replay nonce cVvpJQgH-XBky1Mp1IECcsEvZBvfIrtPpwDbAmDIYmY (The client sent an unacceptable anti-replay nonce)” (400, “Bad Request”, urn:acme:error:badNonce).

Followed by "The system has completed the AutoSSL check".

Can anyone please point me in the right direction to get this resolved?

Thanks.

cPanelNick · Mar 5, 2017

Hi sharphostinguk,

Would you please open a ticket from WHM or cPanel Customer Portal and post the ticket # here.

Thanks

sharphostinguk · Mar 5, 2017

Thanks for this. I am creating a ticket through WHM. I just need confirmation from the business owner regarding granting access to the server, and will complete the process once I have that (or don't).

sharphostinguk · Mar 5, 2017

I opened a ticket, the number is 8281797.

cPanelNick · Mar 7, 2017

We have a case open on this problem:

case CPANEL-8495: Broken IPv6 routing can cause AutoSSL w/ Let's Encrypt to wait for IPv4 failover to kick in before loading (may present as JWS has invalid anti-replay nonce)

The problem presents itself when a server has an IPv6 address but cannot reach Let's Encrypt over IPv6.

The solution:

Ideally: fix whatever routing issue preventing the server from reaching Let's Encrypt over IPv6.
If thats not possible, you can work around the routing problem by modifying gai.conf to lower the priority of IPv6.
Alternatively, switch to the cPanel AutoSSL provider which does not suffer from this problem.

sharphostinguk · Mar 8, 2017

Thanks Nick, it's all been taken care of by the support techs and good to have this summary posted here too. The `gai.conf` fix was used in our case.

Infopro · Mar 8, 2017

Thanks for updating your thread with the outcome.

Thread starter	Similar threads	Forum	Replies	Date
P	Certificate for a delegated subdomain (AutoSSL + Let's Encrypt).	Security	2	Feb 16, 2023
A	AutoSSL - Switch from Sectigo to Let's Encrypt	Security	3	Jan 31, 2023
U	Let's Encrypt plugin out of date causing AutoSSL to fail on latest "release" of cPanel	Security	1	Jun 7, 2020
A	autossl not renewing certs following change to let's encrypt	Security	8	Dec 6, 2019
J	SOLVED [CPANEL-22093] Cpanel::Exception::ACME warnings during Let's Encrypt AutoSSL check	Security	7	Jul 31, 2018

Search

Search

SOLVED Let's Encrypt AutoSSL Error: JWS has invalid anti-replay nonce

sharphostinguk

Member

cPanelNick

Administrator

sharphostinguk

Member

sharphostinguk

Member

cPanelNick

Administrator

sharphostinguk

Member

Infopro

Well-Known Member