[LetsEncrypt] Certificate installation for re-used domain fails

Hey :slight_smile:

So far I have had a very smooth experience with yunohost, only now I cannot figure out what is going on.
As I had screwed up my email configurations beyond repair and was too naive to have backups yet, I today decided to completely scrap my VPS running yunohost and start anew from a fresh debian and yunohost install, keeping the public IP.
I did not change the existing DNS records, as they still match the recommended settings after the reinstall.
This has mostly worked and email is back up and running, but I am having trouble registering the LetsEncrypt certificate for my domain name:
in the webinterface the process will just remain in an infinite loading state, on the yunohost-cli the output of yunohost domain cert-install DOMAINNAME will produce the error below.

As the internals of LetsEncrypt and the cert-install command are unclear to me, I was hoping that someone could tell whether I am overlooking something that will confuse LetsEncrypt when re-using my domain name on the fresh install or similar.

Detailed behavior of the cert-install command:
$yunohost domain cert-install DOMAINNAME
returns:

Info: Now attempting install of certificate for domain DOMAINNAME!
Info: Parsing account key...
Info: Parsing CSR...
Info: Registering account...

and here it will remain for about than half an hour and then produce the following error:

Error: Error registering: 400 {
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce IjJGVUPwQUrw_zNLjpuHSRcNk7qTUnPgANQHoT5W14s",
  "status": 400
}
Warning: Debug information:
 - domain ip from DNS        [public IP of the VPS]
 - domain ip from local DNS  [public IP of the VPS]
 - public ip of the server   [public IP of the VPS]

Warning: Debug information:
 - domain ip from DNS        [public IP of the VPS]
 - domain ip from local DNS  [public IP of the VPS]
 - public ip of the server   [public IP of the VPS]

Error: Certificate installation for DOMAINNAME failed !
Exception: Signing the new certificate failed
Info: The operation 'Install Let's encrypt certificate on 'DOMAINNAME' domain' has failed! To get help, please share the full log of this operation using the command 'yunohost log display 20190224-154935-letsencrypt_cert_install-DOMAINNAME --share'

The logs mentiond above are as follows:

description: Install Let's encrypt certificate on 'DOMAINNAME' domain
log_path: /var/log/yunohost/categories/operation/20190224-154935-letsencrypt_cert_install-DOMAINNAME.log
logs: 
  - 2019-02-24 15:49:35,555: DEBUG - Nginx configuration file for ACME challenge already exists for domain, skipping.
  - 2019-02-24 15:49:35,555: DEBUG - Making sure tmp folders exists...
  - 2019-02-24 15:50:05,674: DEBUG - Could not get public IPv6 : Invalid url https://ip6.yunohost.org (does this site exists?)
  - 2019-02-24 15:50:05,675: DEBUG - Prepare key and certificate signing request (CSR) for DOMAINNAME...
  - 2019-02-24 15:50:06,255: DEBUG - Saving to /tmp/acme-challenge-private/DOMAINNAME.csr.
  - 2019-02-24 15:50:06,256: DEBUG - Now using ACME Tiny to sign the certificate...
  - 2019-02-24 15:50:06,256: INFO - Parsing account key...
  - 2019-02-24 15:50:06,273: INFO - Parsing CSR...
  - 2019-02-24 15:50:06,291: INFO - Registering account...
  - 2019-02-24 16:03:13,285: ERROR - Error registering: 400 {
  -   "type": "urn:acme:error:badNonce",
  -   "detail": "JWS has invalid anti-replay nonce IjJGVUPwQUrw_zNLjpuHSRcNk7qTUnPgANQHoT5W14s",
  -   "status": 400
  - }
  - 2019-02-24 16:03:13,483: WARNING - Debug information:
  -  - domain ip from DNS        [public IP of the VPS]
  -  - domain ip from local DNS  [public IP of the VPS]
  -  - public ip of the server   [public IP of the VPS]
  - 
  - 2019-02-24 16:03:13,587: WARNING - Debug information:
  -  - domain ip from DNS        [public IP of the VPS]
  -  - domain ip from local DNS  [public IP of the VPS]
  -  - public ip of the server   [public IP of the VPS]
  - 
  - 2019-02-24 16:03:13,588: ERROR - Certificate installation for DOMAINNAME failed !
  - Exception: Signing the new certificate failed
metadata: 
  args: 
    force: False
    no_checks: False
    staging: False
  ended_at: 2019-02-24 16:03:13
  error: Certificate installation for DOMAINNAME failed !
Exception: Signing the new certificate failed
  operation: letsencrypt_cert_install
  related_to: 
    - domain
    - DOMAINNAME
  started_at: 2019-02-24 15:49:35
  success: False
metadata_path: /var/log/yunohost/categories/operation/20190224-154935-letsencrypt_cert_install-DOMAINNAME.yml
name: 20190224-154935-letsencrypt_cert_install-DOMAINNAME

I would be extremely glad for any thoughts, hints, and insights.
Thank you very much!

Meh, that sounds weird … did a quick search and the problem / solution is not obvious. Did you try to retry the operation ? Some people say that worked for them…

Hey Aleks,

Indeed I have tried a couple of times (about three times waiting for half an hour and then some more that i aborted).
It is good that you point out which specific part of the error message to search for, but so far I did not find anything applicable.

Thanks for your effort!

Some people are talking about routers / NAT that can cause issues … e.g. from here

are you behind a NAT that sends your outbound traffic via multiple IP addresses? That can cause some problems with nonces.

But from what I see you are behind a VPS so except if the network team from your provider messed up something in their setup that should be okay …

Hmm, I see someone mentionning IPv6 : can you double check your DNS AAAA record if you have one ?

1 Like

Indeed there is an AAAA record for an IPv6 that does not match the new server’s IPv6! (I assume only IPv4 addresses may be reserved with the provider)

I will remove the DNS record and disable IPv6 on the server, then see whether that fixes it!

1 Like

This worked, thanks a lot!

1 Like