Issues seen in an AWS cloud deployment

[colelloa]

Hi,

Thanks so much for authoring this project - it is incredibly useful and well put-together, and I've found a great amount of value in it overall.

I stood up an instance of this a few months ago in an ubuntu t2.medium instance on AWS. For the most part, it works, but I occasionally get this error:

Oct 02 17:31:42 ip-10-48-1-253 redirect[27253]: {
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at file:///home/ubuntu/forward-domain/src/sni.js:61:53
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at Client.generateCertificate (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:83:44)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at processTicksAndRejections (node:internal/process/task_queues:95:5)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at Client.newOrder (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:286:19)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: }
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "status": 400
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "detail": "JWS has an invalid anti-replay nonce: \"<edited-out>\"",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "type": "urn:ietf:params:acme:error:badNonce",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: Error: newOrder() Status Code: 400 Data: {
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at file:///home/ubuntu/forward-domain/src/sni.js:61:53
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at Client.generateCertificate (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:83:44)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at processTicksAndRejections (node:internal/process/task_queues:95:5)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:     at Client.newOrder (file:///home/ubuntu/forward-domain/src/certnode/lib/client.js:286:19)
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: }
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "status": 400
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "detail": "JWS has an invalid anti-replay nonce: \"<edited-out>\"",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]:   "type": "urn:ietf:params:acme:error:badNonce",
Oct 02 17:31:40 ip-10-48-1-253 redirect[27253]: Error: newOrder() Status Code: 400 Data: {

My server is run via systemd, service reproduced here

[Unit]
Description=Redirect proxy service
After=syslog.target network.target postgresql.service

[Service]
User=ubuntu
Type=simple
LimitNOFILE=4096
IgnoreSIGPIPE=false
KillMode=process
Environment=NVM_DIR=/home/ubuntu/.nvm
Environment=PATH=/home/ubuntu/.nvm/versions/node/v18.17.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
ExecStart=/home/ubuntu/.nvm/versions/node/v18.17.1/bin/pm2-runtime /home/ubuntu/forward-domain/app.js -i max
Restart=always
RestartSec=5s
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=redirect

[Install]
WantedBy=multi-user.target

Curious what I am doing wrong to have these errors? Occasionally, when adding new domains or using old ones, the redirect does not work. I've seen this error with CNAMEs and A records, but more consistently with A records - I actually can't get A records to work right now, which is why I'm making the issue in general!

Thank you very much for your time here, and thanks again for the fantastic app!

[willnode]

Hi,

From your error message, it quite seems like the request is modified by some proxies in AWS? I don't know because I use other cloud platforms and it just works fine. Let me leave this for a moment if someone else has this problem too.

[willnode]

After some reading, I think this is because the server is spawned in parallel. A common strategy to load balancing in a cloud environment, which is currently not supported. I think keep sticking to one VM and one static IP address is best.

https://community.letsencrypt.org/t/jws-has-invalid-anti-replay-nonce-status-400/84004/8