SSL certificate fetch failure: invalid anti-replay nonce

Anahata · 28 December 2024 17:38

I have no ## Problem Description

SSL certificate has expired on a domain. Sympl-ssl says it has a valid certificate that expired in February 2025, but the files in config/ssl/current are from November and the certificate expired yesterday. If I delete the set of certificate files, and run sympl-ssl again it comes up with the error message about “invalid anti-replay nonce.”

The domain is maryanahata.co.uk, if that helps. I fear others on the same host will expire in the same way as time goes on.

Any Error Messages

!! Failed: JWS has an invalid anti-replay nonce: "LPSR-4-srdnPkxygIzyGJsKMiZOxyreCW7_w5edN6fc5iJX1mUo"

Environment

Sympl Version: 12
Sympl Testing Version: no
Debian Version: 12
Hardware Type: VPS
Hosted With: Bitfolk

Anahata · 28 December 2024 18:37

Slight progress but still a mystery: searching the web for that error message suggests it may be a temporary condition and to retry until it works. I ran sympl-ssl again and it seems to have worked and stored a correctly dated certificate in the right place, but my browser (even after telling it to “forget” the site) is still complaining and showing the expired certificate.

Kelduum · 28 December 2024 19:03

I’m seeing a cert on the site which was issued today. And expires in March, so that’s likely just browser caching

In chrome and others you can get round with with a “guest” profile as that doesn’t carry over any info from your normal profile

Anahata · 28 December 2024 19:04

Solved (I think)
I might have modified /etc/apache2/sites-available/maryanahata.co.uk.conf, which resulted in Sympl not updating it when renewing the certificate. I notice that, apart from referencing
/srv/maryanahata.co.uk/config/ssl/current/ssl.combined
which is a symlink, it also refers to files in
/srv/maryanahata.co.uk/config/ssl/sets/42/
Which is only the current instance of certificate files and would have to be updated each time the certificate is renewed.

I have deleted the config file and let Sympl recreate it from the template and Firefox is happy now.

Anahata · 28 December 2024 19:08

Thanks - if it happens again, I’ll try that (if I can find out how to to do it), but it’s likely you saw the certificate just after I’d fixed the problem as described above.
Thanks for looking anyway!

Anahata · 28 December 2024 19:28

Silly me! I have now read and understood the comment above the SSL path lines warning me to comment out the references to explicit certificate directories and uncomment the references to the symlink if the file has been modified.

(There was a good reason for recently modifying the config file locally, to provide an extra path for PHP’s open_basedir setting. All correctly configured now, I hope)