Solved LE not updating. JWS has an invalid anti-replay nonce. And CAA record missing

[Richard G]

So today a wildcard update did not work due to the above reason.
Part of the DA system message:

2022/10/23 00:36:43 [INFO] [*.mydomain.nl] acme: use dns-01 solver
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: Could not find solver for: tls-alpn-01
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: Could not find solver for: http-01
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: use dns-01 solver
2022/10/23 00:36:43 [INFO] [*.mydomain.nl] acme: Preparing to solve DNS-01
2022/10/23 00:36:44 [INFO] [*.mydomain.nl] acme: Trying to solve DNS-01
2022/10/23 00:36:44 [INFO] [*.mydomain.nl] acme: Checking DNS record propagation using [8.8.8.8:53]
2022/10/23 00:37:14 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]

2022/10/23 00:48:25 [INFO] [mydomain.nl] acme: Cleaning DNS-01 challenge
2022/10/23 00:48:26 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167XXXXXXXXX :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "327Ce7J_fVk5ZBxDvxUIlUYxARn_PfxxxxxxxxxxXXXXxxxxxx"
2022/10/23 00:48:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167xxxxxxxxx
2022/10/23 00:48:27 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167xxxxxxxxx
2022/10/23 00:48:27 Could not obtain certificates:
error: one or more domains had a problem:
[*.mydomain.nl] time limit exceeded: last error: read udp 144.xx.xx.xx:52233->144.xx.xx.xx:53: i/o timeout
[mydomain.nl] time limit exceeded: last error: read udp 144.xx.xx.xx:60670->144.xx.xx.xx:53: i/o timeout
Certificate generation failed.

Now especiallyl the i/o timeout at last I don't understand why this occurs.
The first 144 ip is the server ip, which is also bind to the hostname and ns1.
The second 144 ip is the 2nd nameserver ip. On the same server by the way. I know it shouldn't be both on 1 server, but customer wants it that way.

DNS of the domain does not contain any CAA record.

I did ran this command:
dig CAA mydomain.nl @8.8.8.8
which gave a nice answer and not a servfail.

I didn't try a manual update yet, because I'm trying to figure out why this is going wrong.

Anyone?

 

[Richard G]

Hmmz... think I've found the problem already.

Seems ns2 is not listening to port 53 for some reason.

 

[Richard G]

Pfff... solved. For some reason the 2nd ip was not up anymore. Very odd.

Used the service startips restart command and problem solved.

 

[Dettol]

Add your server ip into Brute Force Monitor's skip list, then try again, after your request send, restart "named" service, it may help.
(Brute Force Monitor's bug, sometimes... it will blocked your server renew cert)

some people (included me) get same problem.

 

[Richard G]

Add your server ip into Brute Force Monitor's skip list,

Thank you. But as you can see from my solution, this wouldn't have fixed my issue, because the problem was not caused by a BFM block.

I've seen the thread where your tip was mentioned, but I see that as a workaround, not as a solution.
If that issue would occur on my servers, personally I rather would investigate why that even happens then just putting the ip in the skip list.
Because the server ip should never be blocked, so probably there is some other underlaying cause to that.

However, thank you for responding.

 

[Richard G]

So when manually updating, still seen this line which is odd:

2022/10/23 16:15:16 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2022/10/23 16:15:17 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/chall-v3/16782xxxxxxxxx :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "F977Zgj0pXVJBaBUWDRqwAI7BD_Arlpiup9xxxxxxx"

Again that JWS has an invalid anti-replay nonce, but the certificate renewed fine.

We'll keep an eye on this on other updates.