From: Theo Buehler <tb@theobuehler.org>
Subject: Re: acme-client(1): handle badNonce
To: tech <tech@openbsd.org>
Date: Wed, 11 Jun 2025 23:11:17 +0200

On Wed, Jun 11, 2025 at 08:34:29PM +0200, Florian Obser wrote:
> 
> Found with pebble.
> 
> RFC 8555 6.5 has:
> 
>    When a server rejects a request because its nonce value was
>    unacceptable (or not present), it MUST provide HTTP status code 400
>    (Bad Request), and indicate the ACME error type
>    "urn:ietf:params:acme:error:badNonce".  An error response with the
>    "badNonce" error type MUST include a Replay-Nonce header field with a
>    fresh nonce that the server will accept in a retry of the original
>    query (and possibly in other requests, according to the server's
>    nonce scoping policy).  On receiving such a response, a client SHOULD
>    retry the request using the new nonce.
> [...]
>                                                           However, when
>    retrying in response to a "badNonce" error, the client MUST use the
>    nonce provided in the error response.
> 
> OK?

Unless you really want to keep the warnx("GOTO AGAIN"), it's probably
better to commit it without it.

ok tb