Verification failed as a result of JWS has an invalid anti-replay nonce #78
Comments
|
I'll have a look, but as a rule of thumb, when multiple records have to be created, the TXT records should remain there for all of those until the verification is completed (in essence, with two records, you should not be deleting one and then creating another - they need to be both there for when LE servers try checking them). |
|
The delete requests are issued by Crypt-LE. So the order in which Crypt-LE processes apparently is:
I don't see a way how I can influence this behaviour. |
I use Crypt-LE (le64.exe, version 0.38) to issue a wildcard certificate for my domain, which requires DNS verification.
The certificate is to be valid for *.my.domain and for my.domain (without a subdomain), so two TXT records must be created.
I changed the Crypt-LE/Plugins/DNS.pm script a bit, so it calls a Windows batch script I wrote, as a module for le64 to handle challenges with.
The Windows batch script calls API's from my DNS provider (zoneedit.com) to create and delete TXT records in the DNS.
Creating the two requested TXT records in the DNS succeeded, as well as the first DNS verification (for *.my.domain).
Then the first TXT record that was created, is deleted successfully, as it is no longer needed.
After that, the second DNS verification (for my.domain i.e. without a subdomain) failed.
Apparently there was some kind of a time-out, the message is "Domain verification results for 'my.domain': error. JWS has an invalid anti-replay nonce: <a long random code>".
The process then continued with successfully deleting the second TXT record.
Finally le64.exe ends with a "Verification failed for domains: my.domain" message.
What does it take to avoid the "JWS has an invalid anti-replay nonce" and the process ending in a failure?
Is there something I can do, or is that something that should be solved in le64.exe?
A more detailed description of the steps the process took, follows:
DNS.pm reported: Processing the 'dns' challenge for '*.my.domain' with DNS
The batch script called the create API to create an "_acme-challenge.my.domain" TXT record in the DNS with the requested code.
API result: <SUCCESS CODE="200" TEXT="_acme-challenge.my.domain TXT updated to <code>" ZONE="my.domain">
Then the script waited 5 minutes (because my DNS provider - zoneedit.com - requires 300 seconds between requests).
The script did an NSLOOKUP and found that the requested TXT record exists, so the script continued.
DNS.pm reported: Processing the 'dns' challenge for 'my.domain' with DNS
The batch script called the create API again to create another "_acme-challenge.my.domain" TXT record in the DNS with the second requested code.
API result: <SUCCESS CODE="200" TEXT="_acme-challenge.my.domain TXT updated to <2nd code>" ZONE="my.domain">
Again the script waited 5 minutes.
Another NSLOOKUP found that the second requested TXT record exists too and the script continued.
DNS.pm reported: Processing the 'dns' verification for '*.my.domain' with DNS
and: Domain verification results for '*.my.domain': success.
The script then called the delete API to deleted the first "_acme-challenge.my.domain" TXT record from the DNS.
API result: <SUCCESS CODE="200" TEXT="_acme-challenge.my.domain TXT with rdata <code> deleted" ZONE="my.domain">
Again it waited 5 minutes.
NSLOOKUP found that the first requested TXT record was deleted and the script continued.
DNS.pm reported: Processing the 'dns' verification for 'my.domain' with DNS
and: Domain verification results for 'my.domain': error. JWS has an invalid anti-replay nonce: "<a long random code>"
The script called the delete API a second time to deleted the second "_acme-challenge.my.domain" TXT record from the DNS.
API result: <SUCCESS CODE="200" TEXT="_acme-challenge.my.domain TXT with rdata <2nd code> deleted" ZONE="my.domain">
Again it waited 5 minutes.
NSLOOKUP found that the second TXT record was deleted too and the script continued.
DNS.pm reported: Verification failed for domains: my.domain
The text was updated successfully, but these errors were encountered: