Comments (7)
Hi @gridfocus,
This is the right place to post this! Please note I'm on vacation right now, so I will not be able to analyze this in more detail until Monday or Tuesday.
One reason this might be happening is the cache setup. What kind of cache have you configured, if any? ACME requires a distributed cache such as Redis or Memcached.
It would also help if you can tell me more about your setup. How did you install django-ca? What system is it running on? What's the configuration?
The certbot version and OS you're using might also help. It's possible (but unlikely in this case) that this also plays a part.
Kr, Mat
from django-ca.
Hi @mathiasertl ,
Thanks for your reply, sure there is no rush, let me know when you have time to have a look at the issue.
The info you requested:
certbot 1.21.0 on ubuntu 22.04
django-ca installed via pip (Django version 5.0.4 also on ubuntu 22.04).
Error in nginx log:
-
- [13/May/2024:16:47:57 +0200] "POST /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.21.0 (certbot; Ubuntu 22.04.2 LTS) Authenticator/standalone Installer/None (certonly; flags: ) Py/3.10.12"
And the error from certbot client:
"POST /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/ HTTP/1.1" 400 97
Received response:
HTTP 400
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 14:47:57 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: https://myserver.local/ca/acme/directory/32331AEF3CAC5E0F86C409AD57756726BBCB4362/;rel="index"
replay-nonce: 9BRvvVR1rSu7rI-1STuQ3-hAGMJJILpSlvvXaqqPzSo
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/acme/client.py", line 1269, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1283, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1128, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 936, in new_order
return cast(ClientV2, self.client).new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 702, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/lib/python3/dist-packages/acme/client.py", line 101, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1273, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1283, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1128, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /home/user/new/.certbot/logs/letsencrypt.log or re-run Certbot with -v for more details.
from django-ca.
Hi @gridfocus ,
What about your cache configuration?
Do the logs of your application server (uWSGI?) say anything?
Kr, Mat
from django-ca.
Hello,
The log shows this error:
Bad Request: /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/
It's a pretty standard config (nginx / gunicorn / django + redis task manager + postgres db), not using cache in nginx or django.
cheers,
from django-ca.
The Nonce is stored in the cache. Without a cache that shares data between workers, different workers will not see the nonces created by the other client. Please try configuring Redis also as a Cache (support is now even included in Django: https://docs.djangoproject.com/en/5.0/topics/cache/#redis).
By the way, there even is a system check for this:
python manage.py check --deploy
I notice that the app documentation does not really mention the need for the cache, I will certainly update that.
Please let me know if that solves the issue for you!
from django-ca.
Hello Mathias,
You were correct, after configuring the shared cache settings, everything is working correctly :)
Thank you,
from django-ca.
@gridfocus that's good to hear! I have updated documentation to make this more clear.
I hope you find django-ca useful!
from django-ca.
Related Issues (20)
- REST api HOT 8
- ACME error HOT 5
- Configure OCSP response validity when using docker compose HOT 4
- Acme Disable new accounts HOT 4
- Parsing issues running init_ca HOT 2
- OCSP request for unknown cert received HOT 7
- Ability to sign certificate via configurable hook / external HSM HOT 15
- Smartcard Extension 1.3.6.1.4.1.311.25.2 support HOT 1
- Save private key and ocsp in database HOT 5
- ecc_curve in 'init_ca' command HOT 5
- acme clients not working, bad nonce HOT 7
- multiple SAN attributes not working HOT 3
- CA_PROFILES expiration time is ignored HOT 2
- CRL Issuing Distribution Point (IDP) should be configurable in CertificateRevocationListView HOT 7
- TypeError: cannot pickle 'builtins.ObjectIdentifier' object HOT 3
- Config is not read HOT 2
- Generate CT Certificate Transparency logs HOT 2
- CA_DEFAULT_SUBJECT HOT 2
- Profiles - default, custom and command line HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ca.