JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
2022/10/23 00:36:43 [INFO] [*.mydomain.nl] acme: use dns-01 solver
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: Could not find solver for: tls-alpn-01
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: Could not find solver for: http-01
2022/10/23 00:36:43 [INFO] [mydomain.nl] acme: use dns-01 solver
2022/10/23 00:36:43 [INFO] [*.mydomain.nl] acme: Preparing to solve DNS-01
2022/10/23 00:36:44 [INFO] [*.mydomain.nl] acme: Trying to solve DNS-01
2022/10/23 00:36:44 [INFO] [*.mydomain.nl] acme: Checking DNS record propagation using [8.8.8.8:53]
2022/10/23 00:37:14 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2022/10/23 00:48:25 [INFO] [mydomain.nl] acme: Cleaning DNS-01 challenge
2022/10/23 00:48:26 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167XXXXXXXXX :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "327Ce7J_fVk5ZBxDvxUIlUYxARn_PfxxxxxxxxxxXXXXxxxxxx"
2022/10/23 00:48:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167xxxxxxxxx
2022/10/23 00:48:27 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/167xxxxxxxxx
2022/10/23 00:48:27 Could not obtain certificates:
error: one or more domains had a problem:
[*.mydomain.nl] time limit exceeded: last error: read udp 144.xx.xx.xx:52233->144.xx.xx.xx:53: i/o timeout
[mydomain.nl] time limit exceeded: last error: read udp 144.xx.xx.xx:60670->144.xx.xx.xx:53: i/o timeout
Certificate generation failed.
Now especiallyl the i/o timeout at last I don't understand why this occurs.
The first 144 ip is the server ip, which is also bind to the hostname and ns1.
The second 144 ip is the 2nd nameserver ip. On the same server by the way. I know it shouldn't be both on 1 server, but customer wants it that way.
DNS of the domain does not contain any CAA record.
I did ran this command:
dig CAA mydomain.nl @8.8.8.8
which gave a nice answer and not a servfail.
I didn't try a manual update yet, because I'm trying to figure out why this is going wrong.
Anyone?
Add your server ip into Brute Force Monitor's skip list, then try again, after your request send, restart "named" service, it may help.
(Brute Force Monitor's bug, sometimes... it will blocked your server renew cert)
some people (included me) get same problem.
Thank you. But as you can see from my solution, this wouldn't have fixed my issue, because the problem was not caused by a BFM block.
I've seen the thread where your tip was mentioned, but I see that as a workaround, not as a solution.
If that issue would occur on my servers, personally I rather would investigate why that even happens then just putting the ip in the skip list.
Because the server ip should never be blocked, so probably there is some other underlaying cause to that.
However, thank you for responding.
2022/10/23 16:15:16 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2022/10/23 16:15:17 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/chall-v3/16782xxxxxxxxx :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "F977Zgj0pXVJBaBUWDRqwAI7BD_Arlpiup9xxxxxxx"
Again that
JWS has an invalid anti-replay nonce
, but the certificate renewed fine.
We'll keep an eye on this on other updates.
