Knowledge Base

Cannot renew Let’s Encrypt certificate on Plesk with IPv6 enabled: JWS has an invalid anti-replay nonce

 
firewallhttpsletsencryptplesk for linuxserver

Symptoms

  • Let’s Encrypt certificate cannot be renewed with the error below:

    Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/85457982/6423753814.
    Details:
    Type: urn:ietf:params:acme:error:badNonce
    Status: 400
    Detail: JWS has an invalid anti-replay nonce:

  • Let’s Encrypt server name mentioned in the error resolves to IPv6 address:

    # ping acme-v02.api.letsencrypt.org
    PING acme-v02.api.letsencrypt.org(2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c)) 56 data bytes

  • Connection to port 443 fails for Let’s Encrypt server:

    # telnet acme-v02.api.letsencrypt.org 443
    Trying 2606:4700:60:0:f53d:5624:85c7:3a2c…
    telnet: connect to address 2606:4700:60:0:f53d:5624:85c7:3a2c: Connection timed out

Cause

System firewall blocks outgoing IPv6 traffic.

Resolution

  1. Connect to the server via SSH.

  2. Allow outgoing IPv6 traffic to port 443:

    # ip6tables -I OUTPUT 1 -p tcp –dport 443 -j ACCEPT

  3. Save the added rule:

    # iptables-save

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2022 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WP Toolkit
Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt