Nonce is empty. Exiting. dig output of acme-v01.api.letsencrypt.org


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » SSL » Let's Encrypt

Nonce is empty. Exiting. dig output of acme-v01.api.letsencrypt.orgLast Modified: Oct 10, 2019, 4:29 pm
When creating a certificate, if you get the error:

Getting challenge for server.yourhost.com from acme-server...
Nonce is empty. Exiting. dig output of acme-v01.api.letsencrypt.org:
api.letsencrypt.org.edgekey.net.
e981.dscb.akamaiedge.net.
1.2.3.4
Full nonce request output:

a report shows that it can be due to

"FULL_NONCE="`${CURL} ${CURL_OPTIONS} --silent -I ${API}/directory`": /usr/local/bin/curl --connect-timeout 15 -k -I https://acme-v01.api.letsencrypt.org/directory

throwing the error

curl: (43) CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

which likely means your version of curl is old and should be updated.  You can do this with custombuild:

cd /usr/local/directadmin/custombuild
./build update
./build curl



As similar report is related to the CustomBuild curl linking against an RPM based curl library, eg:

[root@server scripts]# /usr/local/bin/curl --connect-timeout 15 -k -I https://acme-v01.api.letsencrypt.org/directory
curl: (48) An unknown option was passed in to libcurl
[root@server scripts]# ldd /usr/local/bin/curl | grep curl
       libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fdd1411a000)

where it should be /usr/local/lib/libcurl.so.4.
To resolve that, remove the libcurl-devel rpm, re-compile curl and run ldconfig

rpm -e libcurl-devel
cd /usr/local/directadmin/custombuild
./build curl
ldconfig

and confirm:

[root@server custombuild]# ldd /usr/local/bin/curl | grep curl
       libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x00007f17c3cd5000)





Reported error:

Requesting new certificate order...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
HTTP/2 200
server: nginx
date: Thu, 10 Oct 2019 05:10:04 GMT
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 00013TyemkZQGnX2K1N4l76MLUN-WybdRuqsJjKWrYpsHWA
x-frame-options: DENY
strict-transport-security: max-age=604800

The solution to this one is simply grab an updated letsencrypt.sh script:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt





Reported solution for Debian/Ubuntu

Edit

/etc/ld.so.conf

and change the order of the paths, so /usr/local/lib is higher up, so the file looks like:

/usr/local/lib/
include /etc/ld.so.conf.d/*.conf

save, then run

ldconfig

We've not tested this, as it could affect the libraries that system binaries use. Be sure to full test things, especially sshd (restart sshd server and test a login), before logging out of the current ssh session.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST