Symptoms
-
Let’s Encrypt certificate cannot be renewed with the error below:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/85457982/6423753814.
Details:
Type: urn:ietf:params:acme:error:badNonce
Status: 400
Detail: JWS has an invalid anti-replay nonce: -
Let’s Encrypt server name mentioned in the error resolves to IPv6 address:
# ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org(2606:4700:60:0:f53d:5624:85c7:3a2c (2606:4700:60:0:f53d:5624:85c7:3a2c)) 56 data bytes -
Connection to port 443 fails for Let’s Encrypt server:
# telnet acme-v02.api.letsencrypt.org 443
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c…
telnet: connect to address 2606:4700:60:0:f53d:5624:85c7:3a2c: Connection timed out
Cause
System firewall blocks outgoing IPv6 traffic.
Resolution
-
Connect to the server via SSH.
-
Allow outgoing IPv6 traffic to port 443:
# ip6tables -I OUTPUT 1 -p tcp –dport 443 -j ACCEPT
-
Save the added rule:
# iptables-save