Confconsole Let's Encrypt - badNonce - JWS has no anti-replay nonce

[JedMeister]

A recent update to Let's Encrypt has caused issues with older versions of Dehydrated (the Let's Encrypt client we use with Confconsole). And soon after, the v1 API was deprecated and only users with existing certificates can access the v1 API endpoint.

So there are a number of issues that have all occurred within a brief period of time. This post has got a bit messy, so I've completely rewritten it [Oct 18th 2019]. And struck most of it out and added a new section [Nov 12th 2019].

---

Please see the Confconsole v1.1.1 Release notes Confconsole v1.1.2 Release notes for how to update.

---

Setting up. These instructions should be run in a single shell session. If you run the separate steps at separate times or in separate shells, then you will need to re-run this first setup bit:

# set vars to use
DEHYD_ETC=/etc/dehydrated
SHARE=/usr/share/confconsole/letsencrypt
CONFIG="$DEHYD_ETC/confconsole.config"
GH_URL=https://github.com/turnkeylinux/confconsole/master
GH_HOOK=share/letsencrypt/dehydrated-confconsole.hook.sh
CC_HOOK="$DEHYD_ETC/confconsole.hook.sh"
SH_HOOK=$SHARE/dehydrated-confconsole.hook.sh

Now the actual steps to fix the issues:

1. Update Dehydrated:

# add stretch-backports repo and updated dehydrated:
echo "deb http://http.debian.net/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list
apt update
apt install -t stretch-backports dehydrated

2. Download the updated TurnKey hook script:

wget $GH_URL/$GH_HOOK -O $SH_HOOK
cp $SH_HOOK $CC_HOOK

3. Update the config to use the v2 API end point:

echo 'CA="https://acme-v02.api.letsencrypt.org/directory"' >> $CONFIG
echo 'CA_TERMS="https://acme-v02.api.letsencrypt.org/terms"' >> $CONFIG

4. Manually run the new Dehydrated to accept the terms of service for Let's Encrypt:

/usr/bin/dehydrated --register --accept-terms

5. Launch Confconsole and attempt to get a new certificate.

If you wish to just run the script directly (rather than via confconsole), this should do the trick:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper

Hopefully you should now have a working certificate...! 😄 Don't forget to enable auto cert updates (via confconsole - if you haven't already).

Users with multiple domains should also be aware of #1360. It doesn't appear to cause problems when only one domain is used (and I've tested with 2 and it seemed ok). I plan to look into that a bit closer ASAP, but no ETA.

---

Users who have previously addressed this issue by updating Dehydrated via some other method can leave their system as is if they wish. Or alternatively, they can install the version from the stretch backports repo (as above; they should be roughly the same version). Note that if the package has been held, then the hold will need to be removed first. I.e.:

apt-mark unhold dehydrated

[Previous ramblings removed for clarity]

[JedMeister]

I just updated the OP to fix up some mistakes.

Also @thmai11 thanks for your post on the forums. Deepest apologies that I accidentally deleted your website user account 😭 (I was intending to add you to the "contributor" group so future posts will avoid the spam filters - but on auto pilot I accidentally clicked 'cancel' instead of 'save'.) (Top post has been rewritten)

[kalian]

/etc/dehydrated/confconsole.hook.sh : line 54
this_hookscript_is_broken__dehydrated_is_working_fine___please_ignore_unknown_hooks_in_your_script: command not found
(((((((

[thmai11]

@kalian Look like you did not update the hook script "/etc/dehydrated/confconsole.hook.sh"

[kalian]

my bad....i miss this))))))

[JedMeister]

FWIW, I've just updated the OP with details of the related Debian bug report. If you follow the link, editing the Dehydrated script itself is an alternate option to resolving this issue.

The fix I'd already documented is still an option. (Top post has been re-written)

[spyrule]

Typo error in your instructions:

# assuming same shell session as above codeblock
cp /usr/share/$FILE /etc/dehydrated/confconsole.hook.sh

should read:

# assuming same shell session as above codeblock
cp /usr/share/confconsole/$FILE /etc/dehydrated/confconsole.hook.sh

[JedMeister]

@spyrule - Oops! Thanks for the heads up. I've fixed it in the OP.

[deutrino]

This definitely just bit me with the Gitea ISO image current as of yesterday.

[JedMeister]

@deutrino - Yes I need to consolidate all this info into a simple step-by-step. In the meantime, please let me know if you have any issues apply the fix.

[timhibberd]

@JedMeister you refer to updating the OP (Original Post??) what OP? Also...could you restate the solution...the trail above is a bit confusing as to how to patch LE or whether there is a safe patch. Cheers :-)

[JedMeister]

@timhibberd - Done. It was a mess, so I've given it a good tidy up... 😄

[timhibberd]

Thanks for the update Jed...much appreciated :-)

For those who are reading this issue for the first time...the tidied up instructions are at the top of this issue. Ignore the reference to OP (Original Post).