Hello, i tried to use certbot and <

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Hi Mat, i'd like to answer your questions... <li

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

acme clients not working, bad nonce,about mathiasertl/django-ca

Comments (7)

mathiasertl commented on June 10, 2024

Hi @DonOtuseGH ,

I fear I need further information here to get to the bottom of this. I validated that ACME nonce processing is working in principle using the development guide, but of course, something might always be different in the real world.

You say you use the Docker image. Are you really using that, or are you using docker-compose?
If you use Docker, are you using as a shared cache? Djangos default in memory cache is not shared, so this could be one reason for the error.
What command of certbot is failing - please post the full command~
What version of certbot are you using?
Can you run certbot with the --verbose flag? It should print the exact HTTP requests it does.
does django-ca itself provide any output?

Looking forward to more information!

Thanks + kr, Mat

from django-ca.

mathiasertl commented on June 10, 2024

Hi @DonOtuseGH , ping? Any further information?

from django-ca.

DonOtuseGH commented on June 10, 2024

Hi @mathiasertl, sorry for the late reply, I'm a bit busy at the moment, but i'll try to collect the requested information tomorrow or the day after. BR

from django-ca.

DonOtuseGH commented on June 10, 2024

Hi Mat,

i'd like to answer your questions...

i use docker-compose with the template from here: https://raw.githubusercontent.com/mathiasertl/django-ca/main/docker-compose.yml and the following changes:

$ git diff docker-compose.yml
diff --git a/docker-compose.yml b/docker-compose.yml
index 25d8b5c..43a8f1e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: "3.9"
+version: "3.7"
 services:
     cache:
         image: redis:6-alpine
@@ -88,8 +88,7 @@ services:
         image: nginx:1.20-alpine
         command: /bin/sh -c "envsubst < /etc/nginx/conf.d/${NGINX_TEMPLATE:-default}.template > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"
         depends_on:
-            frontend:
-                condition: service_healthy
+            - frontend
         environment:
             NGINX_HOST: ${DJANGO_CA_CA_DEFAULT_HOSTNAME:-localhost}
             NGINX_PORT: ${NGINX_PORT:-80}

in addition i have the following overwrites:

$ cat <<'EOF'> docker-compose.override.yml
version: "3.7"
services:
    cache:
        volumes:
            - /etc/localtime:/etc/localtime:ro
    db:
        volumes:
            - /etc/localtime:/etc/localtime:ro
    backend:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ./localsettings.yaml:/usr/src/django-ca/ca/conf/compose/99-localsettings.yaml
            - ${PWD}/certs:/usr/src/django-ca/ca/certs
    frontend:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ./localsettings.yaml:/usr/src/django-ca/ca/conf/compose/99-localsettings.yaml
    webserver:
        volumes:
            - /etc/localtime:/etc/localtime:ro
            - ${PWD}/webui/live/${DJANGO_CA_CA_DEFAULT_HOSTNAME}:/etc/certs/live/${DJANGO_CA_CA_DEFAULT_HOSTNAME}/
            - ${PWD}/webui/archive/${DJANGO_CA_CA_DEFAULT_HOSTNAME}:/etc/certs/archive/${DJANGO_CA_CA_DEFAULT_HOSTNAME}/
            - ${PWD}/dhparam.pem:/etc/nginx/dhparams/dhparam.pem
            - ${PWD}/acme/:/usr/share/django-ca/acme/
        ports:
            - 443:443
EOF

localsettings looks like so:

$ cat <<EOF> localsettings.yaml
CACHES:
  default:
    BACKEND: django.core.cache.backends.locmem.LocMemCache
TIME_ZONE: Europe/Berlin
LANGUAGE_CODE: de-DE
CA_DEFAULT_EXPIRES: 365
CA_DEFAULT_SUBJECT:
  C: DE
  L: Stuttgart
  O: ACME Corp.
  OU: Certificate Management
  ST: Baden-Wuerttemberg
CA_PROFILES:
  server_3y:
    description: A certificate for a webserver with 3 years validity time.
    expires: 1095
    extensions:
      extended_key_usage:
        critical: false
        value:
        - serverAuth
      key_usage:
        critical: true
        value:
        - digitalSignature
        - keyEncipherment
    subject: /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/OU=Lab
  # to disable pre-configured profiles set it to null
  #enduser: null
EOF

Certbot Version

$ certbot --version
certbot 1.25.0

Certbot command

$ REQUESTS_CA_BUNDLE=root_ca.crt certbot register --agree-tos -m [email protected] --server https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Certbot log

$ cat /var/log/letsencrypt/letsencrypt.log
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Arguments: ['--agree-tos', '-m', '[email protected]', '--server', 'https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/', '-v']
2022-05-25 15:29:52,387:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-05-25 15:29:52,399:DEBUG:certbot._internal.log:Root logging level set at 20
2022-05-25 15:29:52,463:DEBUG:acme.client:Sending GET request to https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/.
2022-05-25 15:29:52,465:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): certsuite-dev.lab:443
2022-05-25 15:29:52,487:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ HTTP/1.1" 200 608
2022-05-25 15:29:52,488:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/json
Content-Length: 608
Connection: keep-alive
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"QRTblkWQiAIlQYD94TP00Q": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://localhost:8000/django_ca/acme/todo/key-change", "newAccount": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/", "newNonce": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/", "newOrder": "https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-order/", "revokeCert": "http://localhost:8000/django_ca/acme/todo/revoke-cert"}
2022-05-25 15:29:52,488:DEBUG:acme.client:Requesting fresh nonce
2022-05-25 15:29:52,488:DEBUG:acme.client:Sending HEAD request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/.
2022-05-25 15:29:52,490:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0
2022-05-25 15:29:52,491:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
replay-nonce: vJs4kQBD6nYUuL7Zdq251Z3vpR7aKTr9x_D8CTKWIyc
cache-control: no-store
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block


2022-05-25 15:29:52,492:DEBUG:acme.client:Storing nonce: vJs4kQBD6nYUuL7Zdq251Z3vpR7aKTr9x_D8CTKWIyc
2022-05-25 15:29:52,492:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "termsOfServiceAgreed": true\n}'
2022-05-25 15:29:52,496:DEBUG:acme.client:Sending POST request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInNyY2R5UzdjTjhJOEtISnZFOU82NGVnWjdCdktlOVZueWhmN3JCamRXMXBhQjNFLXk1VWUzbmxsWGpUdjRYcmNwcmIta0pLbG1ZWVpzeWNaWFl2Z0hNVnYwNDktc3dqQjIxX2k5SnBjcFRQcERZNVFQQk5xS2JoUjZnTVR2QU9Qd3JBZ0g3QktOcmhKN1p5LTRrNUtabGQtOU9IOWJ1clQtMC1CblhBeEdNREZzRVJvLUxHWEFQLWhKY0hodDFrUVZhQzZLZEJxQ2lyMEwxcV95YkZlRmQ5T2lzVXRzSThqUUk4dVQxcDNMYWhmM25RM25GSEhpb2NtbEFLSHlpZTJwdlg2Ulh1NmtYUElXdGc1REVYNHQzSWtDZmdhcnZwRmhsWWNEcXVqaXNOWUREdWFqVFVyNDhERUdJWkpJaVgzSGgtNlZ5WFVOenhlNXJHOFVjRnh3dyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAidkpzNGtRQkQ2bllVdUw3WmRxMjUxWjN2cFI3YUtUcjl4X0Q4Q1RLV0l5YyIsICJ1cmwiOiAiaHR0cHM6Ly9jZXJ0c3VpdGUtZGV2LmxhYi5ybmV0eC5jb20vZGphbmdvX2NhL2FjbWUvNzBERUU5NjlDMDY1RjQzMDIzQ0M4Q0ExODNFRDQyMTQwNkUzNzM1OC9uZXctYWNjb3VudC8ifQ",
  "signature": "f_xghq-GSh5pX7tuxvBZtdnE12y3G2e7W0xl37gJbJOu4tIFM4fABfrPnil4yDCXwJR04PExEPFO4f3JBKET0wmv5dA8whKCsIgxWkKRivX5TdQf7CSTV0xIUz8sAok7R39rUXN7CjDWsDvR6zabqHdhj5h_oVrXJLogM_NaRi8qKjnJXnRR9IJHax8UB6rwIxwVlRqgU3CiTvLjr0an5bkshq0n2QYdOgttqtz1fGFsQA6ZK4fx4zu7HBm0deLI1gfSM1mvHDX08S_5uf_stn2tfqycXSwE6fcJ4yolz2z7vBGL-6DYq4G_03jPfDXEMbXIihmTbjnMIO_GBUdSPw",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpmb29AYmFyLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2022-05-25 15:29:52,508:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97
2022-05-25 15:29:52,509:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: <https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/>;rel="index"
replay-nonce: 1kko5Anr7ghhHwwpJGj8jNptVz30vUIlFjzeuOOBDYY
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
2022-05-25 15:29:52,509:DEBUG:acme.client:Retrying request after error:
urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
2022-05-25 15:29:52,509:DEBUG:acme.client:Requesting fresh nonce
2022-05-25 15:29:52,509:DEBUG:acme.client:Sending HEAD request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/.
2022-05-25 15:29:52,511:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0
2022-05-25 15:29:52,512:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
replay-nonce: SULgxSVkrm85l7c0jP_HG4T7MbcsJ1OgKdDboQfHw8A
cache-control: no-store
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block


2022-05-25 15:29:52,513:DEBUG:acme.client:Storing nonce: SULgxSVkrm85l7c0jP_HG4T7MbcsJ1OgKdDboQfHw8A
2022-05-25 15:29:52,513:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "termsOfServiceAgreed": true\n}'
2022-05-25 15:29:52,516:DEBUG:acme.client:Sending POST request to https://certsuite-dev.lab/django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInNyY2R5UzdjTjhJOEtISnZFOU82NGVnWjdCdktlOVZueWhmN3JCamRXMXBhQjNFLXk1VWUzbmxsWGpUdjRYcmNwcmIta0pLbG1ZWVpzeWNaWFl2Z0hNVnYwNDktc3dqQjIxX2k5SnBjcFRQcERZNVFQQk5xS2JoUjZnTVR2QU9Qd3JBZ0g3QktOcmhKN1p5LTRrNUtabGQtOU9IOWJ1clQtMC1CblhBeEdNREZzRVJvLUxHWEFQLWhKY0hodDFrUVZhQzZLZEJxQ2lyMEwxcV95YkZlRmQ5T2lzVXRzSThqUUk4dVQxcDNMYWhmM25RM25GSEhpb2NtbEFLSHlpZTJwdlg2Ulh1NmtYUElXdGc1REVYNHQzSWtDZmdhcnZwRmhsWWNEcXVqaXNOWUREdWFqVFVyNDhERUdJWkpJaVgzSGgtNlZ5WFVOenhlNXJHOFVjRnh3dyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiU1VMZ3hTVmtybTg1bDdjMGpQX0hHNFQ3TWJjc0oxT2dLZERib1FmSHc4QSIsICJ1cmwiOiAiaHR0cHM6Ly9jZXJ0c3VpdGUtZGV2LmxhYi5ybmV0eC5jb20vZGphbmdvX2NhL2FjbWUvNzBERUU5NjlDMDY1RjQzMDIzQ0M4Q0ExODNFRDQyMTQwNkUzNzM1OC9uZXctYWNjb3VudC8ifQ",
  "signature": "l0t7c8qBGaRJ7V6GES_8pEiZ-0U-iaFtaOxfkYRT2cWHVFRDzG01Fa1CfG3jh58ZV4-7_aToE5x8E95lMK0Gu388dzBcv0UzeyL6YBJMA4ExJC4J6Iu38RJ40RBbSwO5n1f5jpGNxndjjRn1cmYu-Wl0Z-qc-zFjy2Xfx5QQ1GdkoJab9rn9ZQSMcgbV4D5B_W_QDWAPj6hJW5h4DdoCiT0_m_5tDeDyLzR-_Dec2hMfZseIEqp2LmrMa7Jfzssv-0gsbZcQjf1L0amDK9ysE6kbf-bbEO1jZjDIK18mDCCvPEVLp1Ky0DYmXYNRV7_APflBOPgVgFv9zrfMBlVIzQ",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpmb29AYmFyLmNvbSIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2022-05-25 15:29:52,533:DEBUG:urllib3.connectionpool:https://certsuite-dev.lab:443 "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97
2022-05-25 15:29:52,533:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx/1.20.2
Date: Wed, 25 May 2022 13:29:52 GMT
Content-Type: application/problem+json
Content-Length: 97
Connection: keep-alive
Link: <https://certsuite-dev.lab/django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/>;rel="index"
replay-nonce: 0CMX3MTMuH0ZxGbXzsGwbBayhyOhhPQPtCCY3Xggtdk
Referrer-Policy: same-origin, same-origin
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: default-src 'self'
Expect-CT: Expect-CT: enforce, max-age=30
Permissions-Policy: sync-xhr=(self), notifications=(), camera=(), microphone=(), geolocation=(), payment=(), speaker=(), push=(), vibrate=()
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{"type": "urn:ietf:params:acme:error:badNonce", "status": 400, "detail": "Bad or invalid nonce."}
2022-05-25 15:29:52,534:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1271, in post
    return self._post_once(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1285, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1131, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 888, in register
    _determine_account(config)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/main.py", line 724, in _determine_account
    acc, acme = client.register(
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/client.py", line 218, in register
    regr = perform_registration(acme, config, tos_cb)
  File "/opt/certbot/lib/python3.10/site-packages/certbot/_internal/client.py", line 267, in perform_registration
    acme).new_account_and_tos(newreg, tos_cb)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 912, in new_account_and_tos
    return client_v2.new_account(regr)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 632, in new_account
    response = self._post(self.directory['newAccount'], new_account)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 103, in _post
    return self.net.post(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1275, in post
    return self._post_once(*args, **kwargs)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1285, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/certbot/lib/python3.10/site-packages/acme/client.py", line 1131, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.
2022-05-25 15:29:52,536:ERROR:certbot._internal.log:An unexpected error occurred:
2022-05-25 15:29:52,537:ERROR:certbot._internal.log:The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce.

django-ca log

frontend_1   | [pid: 27|app: 0|req: 171/255] 10.5.1.94 () {38 vars in 716 bytes} [Wed May 25 15:29:15 2022] GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ => generated 608 bytes in 9 msecs (HTTP/1.1 200) 4 headers in 143 bytes (1 switches on core 0)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "GET /django_ca/acme/directory/70DEE969C065F43023CC8CA183ED421406E37358/ HTTP/1.1" 200 608 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 27|app: 0|req: 172/256] 10.5.1.94 () {38 vars in 717 bytes} [Wed May 25 15:29:15 2022] HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ => generated 0 bytes in 1 msecs (HTTP/1.1 200) 6 headers in 233 bytes (1 switches on core 1)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 23|app: 0|req: 18/257] 10.5.1.94 () {42 vars in 815 bytes} [Wed May 25 15:29:15 2022] POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ => generated 97 bytes in 9 msecs (HTTP/1.1 400) 6 headers in 342 bytes (1 switches on core 0)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ HTTP/1.1" 200 0 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 25|app: 0|req: 41/258] 10.5.1.94 () {38 vars in 717 bytes} [Wed May 25 15:29:15 2022] HEAD /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-nonce/ => generated 0 bytes in 1 msecs (HTTP/1.1 200) 6 headers in 233 bytes (1 switches on core 1)
webserver_1  | 10.5.1.94 - - [25/May/2022:15:29:15 +0200] "POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ HTTP/1.1" 400 97 "-" "CertbotACMEClient/1.25.0 (certbot; Ubuntu Jammy Jellyfish (development branch)) Authenticator/None Installer/None (register; flags: ) Py/3.10.4" "-"
frontend_1   | [pid: 21|app: 0|req: 28/259] 10.5.1.94 () {42 vars in 815 bytes} [Wed May 25 15:29:15 2022] POST /django_ca/acme/70DEE969C065F43023CC8CA183ED421406E37358/new-account/ => generated 97 bytes in 9 msecs (HTTP/1.1 400) 6 headers in 342 bytes (1 switches on core 1)

from django-ca.

mathiasertl commented on June 10, 2024

Hi @DonOtuseGH, thanks for the detailed report! I'm already trying to reproduce this. I'll come back if I have further questions!

What I can see from a first look is that the requests/responses are consistent with a client not sending the correct replay nonce. But then of course: Why would certbot not do that? I'm sure the issue is somehow, somewhere on the django-ca side.

Just out of curiosity - why remove the the service_healthy condition from docker-compose and why map in the localtime file. In each case, if it's a useful addition, It could be included of course.

kr, Mat

from django-ca.

mathiasertl commented on June 10, 2024

Ah! NO WAIT! I found it. From your localsettings.yml file:

CACHES:
  default:
    BACKEND: django.core.cache.backends.locmem.LocMemCache

The docker-compose setup includes a Redis instance precisely because the application server needs a cache that is shared between all processes that serve requests. uWSGI starts four processes by default. Likely you hit different uWSGI processes for each request, but each request has a different, independent (read: local memory) cache.

Can you remove those lines and try again?

By the way: I'm also extremely annoyed by this, but: you "might" want to include the changes from a0f1490 in your docker-compose.yml file.

kr, Mat

from django-ca.

mathiasertl commented on June 10, 2024

Closing this issue due to lack of further feedback. If you experience further issues, please don't hesitate to create a new issue or reopen this issue.

from django-ca.

acme clients not working, bad nonce about django-ca HOT 7 CLOSED

Comments (7)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs