Giter Club home page Giter Club logo

Comments (7)

mathiasertl avatar mathiasertl commented on September 27, 2024

Hi @gridfocus,

This is the right place to post this! Please note I'm on vacation right now, so I will not be able to analyze this in more detail until Monday or Tuesday.

One reason this might be happening is the cache setup. What kind of cache have you configured, if any? ACME requires a distributed cache such as Redis or Memcached.

It would also help if you can tell me more about your setup. How did you install django-ca? What system is it running on? What's the configuration?

The certbot version and OS you're using might also help. It's possible (but unlikely in this case) that this also plays a part.

Kr, Mat

from django-ca.

gridfocus avatar gridfocus commented on September 27, 2024

Hi @mathiasertl ,
Thanks for your reply, sure there is no rush, let me know when you have time to have a look at the issue.

The info you requested:

certbot 1.21.0 on ubuntu 22.04

django-ca installed via pip (Django version 5.0.4 also on ubuntu 22.04).

Error in nginx log:

    • [13/May/2024:16:47:57 +0200] "POST /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.21.0 (certbot; Ubuntu 22.04.2 LTS) Authenticator/standalone Installer/None (certonly; flags: ) Py/3.10.12"

And the error from certbot client:

"POST /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/ HTTP/1.1" 400 97
Received response:
HTTP 400
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 13 May 2024 14:47:57 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: https://myserver.local/ca/acme/directory/32331AEF3CAC5E0F86C409AD57756726BBCB4362/;rel="index"
replay-nonce: 9BRvvVR1rSu7rI-1STuQ3-hAGMJJILpSlvvXaqqPzSo
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/acme/client.py", line 1269, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1283, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1128, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 936, in new_order
return cast(ClientV2, self.client).new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 702, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/lib/python3/dist-packages/acme/client.py", line 101, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1273, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1283, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1128, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /home/user/new/.certbot/logs/letsencrypt.log or re-run Certbot with -v for more details.

from django-ca.

mathiasertl avatar mathiasertl commented on September 27, 2024

Hi @gridfocus ,

What about your cache configuration?

Do the logs of your application server (uWSGI?) say anything?

Kr, Mat

from django-ca.

gridfocus avatar gridfocus commented on September 27, 2024

Hello,

The log shows this error:
Bad Request: /ca/acme/32331AEF3CAC5E0F86C409AD57756726BBCB4362/new-order/

It's a pretty standard config (nginx / gunicorn / django + redis task manager + postgres db), not using cache in nginx or django.

cheers,

from django-ca.

mathiasertl avatar mathiasertl commented on September 27, 2024

The Nonce is stored in the cache. Without a cache that shares data between workers, different workers will not see the nonces created by the other client. Please try configuring Redis also as a Cache (support is now even included in Django: https://docs.djangoproject.com/en/5.0/topics/cache/#redis).

By the way, there even is a system check for this:

python manage.py check --deploy

I notice that the app documentation does not really mention the need for the cache, I will certainly update that.

Please let me know if that solves the issue for you!

from django-ca.

gridfocus avatar gridfocus commented on September 27, 2024

Hello Mathias,

You were correct, after configuring the shared cache settings, everything is working correctly :)

Thank you,

from django-ca.

mathiasertl avatar mathiasertl commented on September 27, 2024

@gridfocus that's good to hear! I have updated documentation to make this more clear.

I hope you find django-ca useful!

from django-ca.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.