From: Florian Obser Subject: Re: acme-client(1): handle badNonce To: tech@openbsd.org Date: Thu, 12 Jun 2025 06:35:52 +0200 On 2025-06-11 23:11 +02, Theo Buehler wrote: > On Wed, Jun 11, 2025 at 08:34:29PM +0200, Florian Obser wrote: >> >> Found with pebble. >> >> RFC 8555 6.5 has: >> >> When a server rejects a request because its nonce value was >> unacceptable (or not present), it MUST provide HTTP status code 400 >> (Bad Request), and indicate the ACME error type >> "urn:ietf:params:acme:error:badNonce". An error response with the >> "badNonce" error type MUST include a Replay-Nonce header field with a >> fresh nonce that the server will accept in a retry of the original >> query (and possibly in other requests, according to the server's >> nonce scoping policy). On receiving such a response, a client SHOULD >> retry the request using the new nonce. >> [...] >> However, when >> retrying in response to a "badNonce" error, the client MUST use the >> nonce provided in the error response. >> >> OK? > > Unless you really want to keep the warnx("GOTO AGAIN"), it's probably > better to commit it without it. ugh, thanks for catching that. > > ok tb > -- In my defence, I have been left unsupervised.