==============
== morph.sh ==
==============
Einfach mal was mit Holz machen.

How to fix the 'JWS has invalid anti-replay nonce' Letsencrypt Error in Dehydrated

sysadmin letsencrypt dehydrated en

In the past few weeks, a bunch of my servers reported that they weren’t able to automatically renew their Let’s Encrypt certificates, so I investigated on what had gone wrong there. The error was always the same:

+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

Nearly all of my servers use the magnificent Dehydrated as their Let’s Encrypt client - it is implemented as a simple shell script that uses OpenSSL to talk to the Let’s Encrypt API and verify the challenges. This makes life a lot easier compared to the stupid bloated default client.

A few commenters on the Let’s Encrypt support forums and other sites that Duckduckgo found for me claimed that this error would go away by simply retrying the verification process once or twice. I can confirm that this has worked for me in the past with this error message, but it doesn’t anymore.

TL;DR: update Dehydrated

To make it short: I still don’t know what is going on, apparently there was some change on LE’s side but I haven’t found any information on the matter. However, it was fixed by updating to Dehydrated’s latest version, v0.6.5, in 100% of the cases. I know that this is kind of unsatisfactory (I hate it when it’s working again but nobody knows what caused it), but it’s working now and I have other things to do, sooo this’ll have to do.