JWS verification error #7

New Issue

Closed

opened 2018-11-14 12:26:24 +00:00 by Ghost · 9 comments

Ghost commented 2018-11-14 12:26:24 +00:00

Copy Link

Hi,
I am getting errors when trying to create some ssl certificate.

I am running multi domains, and i see the error on domain without www prefix.
(The certificate for domain with www prefix successfully created)

Thanks

The error message is:

[acme-v2.js] authorizations were not fetched:
{ type: 'urn:ietf:params:acme:error:malformed',
  detail: 'JWS verification error',
 status: 400 }
 [acme-v2] handled(?) rejection as errback:
Error: authorizations were not fetched
 at XXXX/node_modules/acme-v2/node.js:588:31
 at <anonymous>
 at process._tickDomainCallback (internal/process/next_tick.js:229:7)
Error loading/registering certificate for 'boozers.beer':
Error: authorizations were not fetched
 at XXXX/node_modules/acme-v2/node.js:588:31
 at <anonymous>
 at process._tickDomainCallback (internal/process/next_tick.js:229:7)

Hi, I am getting errors when trying to create some ssl certificate. I am running multi domains, and i see the error on domain without www prefix. (The certificate for domain with www prefix successfully created) Thanks The error message is: ``` [acme-v2.js] authorizations were not fetched: { type: 'urn:ietf:params:acme:error:malformed', detail: 'JWS verification error', status: 400 } [acme-v2] handled(?) rejection as errback: Error: authorizations were not fetched at XXXX/node_modules/acme-v2/node.js:588:31 at <anonymous> at process._tickDomainCallback (internal/process/next_tick.js:229:7) Error loading/registering certificate for 'boozers.beer': Error: authorizations were not fetched at XXXX/node_modules/acme-v2/node.js:588:31 at <anonymous> at process._tickDomainCallback (internal/process/next_tick.js:229:7) ```

coolaj86 commented 2018-11-15 05:48:14 +00:00

Owner

Copy Link

Hello!

Thanks for letting me know about this.

I'm not sure from just looking at this alone why you'd be getting that error, but I've got a few suggestions:

1. Double check that dig +short yourdomain.com returns the correct results.

2. Double check that you are putting the file you need in a place that the webserver can access.

3. Watch the quickstart video at https://git.coolaj86.com/coolaj86/greenlock-express.js and see if that works for you.

That should help us to narrow it down.

Hello! Thanks for letting me know about this. I'm not sure from just looking at this alone why you'd be getting that error, but I've got a few suggestions: 1. Double check that `dig +short yourdomain.com` returns the correct results. 2. Double check that you are putting the file you need in a place that the webserver can access. 3. Watch the quickstart video at https://git.coolaj86.com/coolaj86/greenlock-express.js and see if that works for you. That should help us to narrow it down.

Ghost commented 2018-11-15 09:44:31 +00:00

Author

Copy Link

Hi,

Thank you for the response.

I checked the dig +short and all seems to be okey.

I would like to explain my situation with more details.
The server is running 2 instances of Node.js (with PM2), and those instances serve https request for multi domains at the same time.

When the error above shows, after restarting the instance, the creation of the first certificate, for one (new) domain, is okey. but when new https request for another domain is coming the creating failed with the above error.

P.S. i cannot capture the error in my code, it's only output to the console.

Thank you

Hi, Thank you for the response. I checked the dig +short and all seems to be okey. I would like to explain my situation with more details. The server is running 2 instances of Node.js (with PM2), and those instances serve https request for multi domains at the same time. When the error above shows, after restarting the instance, the creation of the first certificate, for one (new) domain, is okey. but when new https request for another domain is coming the creating failed with the above error. P.S. i cannot capture the error in my code, it's only output to the console. Thank you

coolaj86 commented 2018-11-16 05:04:15 +00:00

Owner

Copy Link

Hmmm... that sounds like perhaps you're storing the token in memory and when the request comes in it's going to the second node instance, but only the first has the correct token?

I'd recommend simplifying to better identify where the problem exists:

• run only one instance
• use greenlock-express.js next since I know that that is configured correctly and works

Hmmm... that sounds like perhaps you're storing the token in memory and when the request comes in it's going to the second node instance, but only the first has the correct token? I'd recommend simplifying to better identify where the problem exists: * run only one instance * use greenlock-express.js next since I know that that is configured correctly and works

Ghost commented 2018-11-16 09:15:04 +00:00

Author

Copy Link

Thanks

I tried with one instance only with no help..
I am using greenlock-express with le-store-redis

Thanks

Thanks I tried with one instance only with no help.. I am using greenlock-express with le-store-redis Thanks

Ghost commented 2018-11-18 11:27:24 +00:00

Author

Copy Link

Hi,

I tried in another server to use one account (Email) for all the domains.
i get the error "JWS has an invalid anti-replay nonce", and success after retry.

Thanks

Hi, I tried in another server to use one account (Email) for all the domains. i get the error "JWS has an invalid anti-replay nonce", and success after retry. Thanks

coolaj86 commented 2018-11-20 18:15:22 +00:00

Owner

Copy Link

That helps me to mentally narrow it down a bit.

I've been working on getting everything that I need for ECDSA key support in greenlock. As I'm getting that pulled in I'll investigate this further.

That helps me to mentally narrow it down a bit. I've been working on getting everything that I need for ECDSA key support in greenlock. As I'm getting that pulled in I'll investigate this further.

Ghost commented 2018-11-20 18:21:09 +00:00

Author

Copy Link

Thank you

Thank you

coolaj86 commented 2018-12-21 17:17:17 +00:00

Owner

Copy Link

Hey! I haven't added ECDSA support yet, but as I was doing some code cleanup in preparation for that I found a bug in the RSA PEM to JWK conversion. In certain cases it would generate the wrong thumbprint (for technical reasons related to how signed big ints are encoded in PEM/ASN.1).

Instead, now I'm using Rasha.js, which handles the edge cases properly.

It seems totally possible to me this was related to the problem you encountered with JWS.

I'd recommend that you update to the latest of the following:

• Greenlock (v2.5.0+)
• acme-v2
• rsa-compat

The new version also significantly reduces the number of dependencies and the code size. Yay!

I'm closing this out, but feel free to re-open if need be.

Hey! I haven't added ECDSA support yet, but as I was doing some code cleanup in preparation for that I found a bug in the RSA PEM to JWK conversion. In certain cases it would generate the wrong thumbprint (for technical reasons related to how signed big ints are encoded in PEM/ASN.1). Instead, now I'm using [Rasha.js](https://git.coolaj86.com/coolaj86/rasha.js), which handles the edge cases properly. It seems totally possible to me this was related to the problem you encountered with JWS. I'd recommend that you update to the latest of the following: * Greenlock (v2.5.0+) * acme-v2 * rsa-compat The new version also significantly reduces the number of dependencies and the code size. Yay! I'm closing this out, but feel free to re-open if need be.

coolaj86 closed this issue 2018-12-21 17:17:17 +00:00

Ghost commented 2019-02-21 03:31:26 +00:00

Author

Copy Link

Hi,

I'm seeing similar errors ever since I upgraded my service to greenlock. About 90% of the errors are badNonce, and the rest are malformed.

We are on node v10.15.0 using

• Greenlock v2.6.7
• acme-v2 v1.5.2
• rsa-compat v1.9.2

All of them are the latest versions, except rsa-compat, but looking at the changes, don't see anything that would fix the problem by bumping to v2.0.2. In any case esa-compat@1.9.2 is a dependency of acme-v2@1.5.2, so can't really bump it till there is a new acme-v2 release.

badNonce error trace -

Error: [acme-v2.js] authorizations were not fetched for 'doc.mail.freenet.de':
{"type":"urn:ietf:params:acme:error:badNonce","detail":"JWS has an invalid anti-replay nonce: \"{{nonce}}\"","status":400}
    at /var/www-api/node_modules/acme-v2/node.js:620:33
    at process._tickCallback (internal/process/next_tick.js:68:7)

malformed error trace -

Didn't finalize order: Unhandled status '400'. This is not one of the known statuses...
Requested: '{{domain}}'
Validated: '{{domain}}'
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Order's status (\"processing\") is not acceptable for finalization",
  "status": 400
}

Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js

Hi, I'm seeing similar errors ever since I upgraded my service to greenlock. About 90% of the errors are `badNonce`, and the rest are `malformed`. We are on node v10.15.0 using - Greenlock v2.6.7 - acme-v2 v1.5.2 - rsa-compat v1.9.2 All of them are the latest versions, except `rsa-compat`, but looking at the changes, don't see anything that would fix the problem by bumping to v2.0.2. In any case esa-compat@1.9.2 is a dependency of acme-v2@1.5.2, so can't really bump it till there is a new `acme-v2` release. `badNonce` error trace - ``` Error: [acme-v2.js] authorizations were not fetched for 'doc.mail.freenet.de': {"type":"urn:ietf:params:acme:error:badNonce","detail":"JWS has an invalid anti-replay nonce: \"{{nonce}}\"","status":400} at /var/www-api/node_modules/acme-v2/node.js:620:33 at process._tickCallback (internal/process/next_tick.js:68:7) ``` `malformed` error trace - ``` Didn't finalize order: Unhandled status '400'. This is not one of the known statuses... Requested: '{{domain}}' Validated: '{{domain}}' { "type": "urn:ietf:params:acme:error:malformed", "detail": "Order's status (\"processing\") is not acceptable for finalization", "status": 400 } Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

v3

v1

wip-v3

browser-v2

errors

v2

skip-valid-challenge

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.2

v3.0.1

v1.8.6

v1.8.5

v1.8.4

v1.8.2

v1.8.1

v1.8.0

v1.7.7

v1.7.6

v1.7.5

v1.7.3

v1.7.2

v1.7.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.3.1

v1.3.0

v1.2.1

v1.2.0

v1.1.1

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v0.6.2

v0.6.1

v0.6.0

v0.0.2

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/acme.js-ARCHIVED#7

No description provided.