Comments (4)
shred
commented on June 1, 2024
"JWS verification error" means that the request failed because of a bad signature. Sadly, there is no further explanation of what actually couldn't get verified by the server.
A reason could be that the Session is in an inconsistent state. The Session contains the key pair of the account, and a matching key identifier. If you use Account.bind() or the AccountBuilder(), the key identifier is set automatically. However, if you create a new Session object and use it for binding a different resource (e.g. an order or a challenge), you must first set the key identifier yourself. For Let's Encrypt, the key identifier is just your account URL. So creating a new Session should work like this:
URI serverUri = // your ACME server URI, e.g. "acme://letsencrypt.org"
KeyPair keyPair = // your account key pair
URL accountUrl = // the URL of your account, from Account.getLocation()
Session session = new Session(serverUri, keyPair);
session.setKeyIdentifier(accountUrl.toString());I see that this part is missing in the documentation. I'm going to add it...
Does it work if you create a new session like that?
If not, please try to activate debug logging for acme4j. It uses slf4j for logging.
from acme4j.
eknori
commented on June 1, 2024
here is the output from the DEBUG log
2018-08-01 10:06:55.971 DEBUG - create
2018-08-01 10:06:55.971 DEBUG - GET https://acme-staging-v02.api.letsencrypt.org/directory
2018-08-01 10:06:56.285 DEBUG - HEADER X-Frame-Options: DENY
2018-08-01 10:06:56.285 DEBUG - HEADER null: HTTP/1.1 200 OK
2018-08-01 10:06:56.285 DEBUG - HEADER Strict-Transport-Security: max-age=604800
2018-08-01 10:06:56.285 DEBUG - HEADER Cache-Control: max-age=0, no-cache, no-store
2018-08-01 10:06:56.285 DEBUG - HEADER Server: nginx
2018-08-01 10:06:56.285 DEBUG - HEADER Replay-Nonce: UryKFBNFLsrUDGK9xwjf5lbaquivUghxDcz0iz6ZpmQ
2018-08-01 10:06:56.285 DEBUG - HEADER Connection: keep-alive
2018-08-01 10:06:56.285 DEBUG - HEADER Pragma: no-cache
2018-08-01 10:06:56.285 DEBUG - HEADER Expires: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.285 DEBUG - HEADER Content-Length: 602
2018-08-01 10:06:56.285 DEBUG - HEADER Date: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.285 DEBUG - HEADER Content-Type: application/json
2018-08-01 10:06:56.285 DEBUG - Replay Nonce: UryKFBNFLsrUDGK9xwjf5lbaquivUghxDcz0iz6ZpmQ
2018-08-01 10:06:56.285 DEBUG - Result JSON: {"keyChange":"https://acme-staging-v02.api.letsencrypt.org/acme/key-change","meta":{"termsOfService":"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"},"newAccount":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct","newNonce":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","newOrder":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","revokeCert":"https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert","tAyo-n4A_zo":"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"}
2018-08-01 10:06:56.316 DEBUG - POST https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
2018-08-01 10:06:56.316 DEBUG - Payload: {"termsOfServiceAgreed":true}
2018-08-01 10:06:56.316 DEBUG - JWS Header: {"nonce":"UryKFBNFLsrUDGK9xwjf5lbaquivUghxDcz0iz6ZpmQ","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct","jwk":{"kty":"RSA","n":"yT5usyuk0Lv1lHNjXPzJI2hzf-SDskX20R1VS0cpVcOOJVhbRhY3e3xYlnEppPgeorlFYw0LHrcveDgbyurXenTRrqZwJNy9LUoeYwR6fwYv4d6S15cgGNUQq--neG5jshTY13PEj5R5Fr-fDDjRTMcpb7-LJMgeM1NTeHcDLyZSQZ7RLYKaiO5coJ0fKRsj6KNPbPTQGVsSqRVQ7gN3xIVaQTusbBmc2VyuIRm1vTOr7Nhb4fH2I54ciAPWHpnOBHRhVQgyRRwTuTRvdJcwJt8SF7Wjy_gOZKkxUVXnKFDrjlYubyZMhKCEqoB8BN0tbvwNgIMSxC78R94Ac2uEPw","e":"AQAB"},"alg":"RS256"}
2018-08-01 10:06:56.504 DEBUG - HEADER null: HTTP/1.1 409 Conflict
2018-08-01 10:06:56.504 DEBUG - HEADER Cache-Control: max-age=0, no-cache, no-store
2018-08-01 10:06:56.504 DEBUG - HEADER Server: nginx
2018-08-01 10:06:56.504 DEBUG - HEADER Replay-Nonce: 4pnWrQP_-2N6zVW6Vts0fnBK-sA6y3ROQcJml4uhFkg
2018-08-01 10:06:56.504 DEBUG - HEADER Connection: close
2018-08-01 10:06:56.504 DEBUG - HEADER Pragma: no-cache
2018-08-01 10:06:56.519 DEBUG - HEADER Expires: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.519 DEBUG - HEADER Content-Length: 114
2018-08-01 10:06:56.519 DEBUG - HEADER Date: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.519 DEBUG - HEADER Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/5355059
2018-08-01 10:06:56.519 DEBUG - HEADER Content-Type: application/problem+json
2018-08-01 10:06:56.519 DEBUG - Replay Nonce: 4pnWrQP_-2N6zVW6Vts0fnBK-sA6y3ROQcJml4uhFkg
2018-08-01 10:06:56.519 DEBUG - Result JSON: {"type":"urn:ietf:params:acme:error:malformed","detail":"Account key is already in use","status":409}
2018-08-01 10:06:56.519 DEBUG - create
2018-08-01 10:06:56.535 DEBUG - POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2018-08-01 10:06:56.535 DEBUG - Payload: {"identifiers":[{"type":"dns","value":"eknori.testdns.org"}],"notBefore":"2018-01-08T09:06:56.519Z","notAfter":"2018-01-28T09:06:56.519Z"}
2018-08-01 10:06:56.535 DEBUG - JWS Header: {"nonce":"4pnWrQP_-2N6zVW6Vts0fnBK-sA6y3ROQcJml4uhFkg","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/5345609","alg":"RS256"}
2018-08-01 10:06:56.785 DEBUG - HEADER null: HTTP/1.1 400 Bad Request
2018-08-01 10:06:56.785 DEBUG - HEADER Cache-Control: max-age=0, no-cache, no-store
2018-08-01 10:06:56.785 DEBUG - HEADER Server: nginx
2018-08-01 10:06:56.785 DEBUG - HEADER Replay-Nonce: G1T0ILW_Agy43o3-GblUmjNlbUh-oEBmzHIteBk7wic
2018-08-01 10:06:56.785 DEBUG - HEADER Connection: close
2018-08-01 10:06:56.785 DEBUG - HEADER Pragma: no-cache
2018-08-01 10:06:56.800 DEBUG - HEADER Expires: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.800 DEBUG - HEADER Boulder-Requester: 5345609
2018-08-01 10:06:56.800 DEBUG - HEADER Content-Length: 107
2018-08-01 10:06:56.800 DEBUG - HEADER Date: Mon, 08 Jan 2018 09:06:56 GMT
2018-08-01 10:06:56.800 DEBUG - HEADER Content-Type: application/problem+json
2018-08-01 10:06:56.800 DEBUG - Replay Nonce: G1T0ILW_Agy43o3-GblUmjNlbUh-oEBmzHIteBk7wic
2018-08-01 10:06:56.816 DEBUG - Result JSON: {"type":"urn:ietf:params:acme:error:malformed","detail":"JWS verification error","status":400}
from acme4j.
eknori
commented on June 1, 2024
Found it, the stored value for KID was wrong.
The stored value is 5345609 but the correct value would be 5355059.
So, no issue with acme4Jv2
from acme4j.
shred
commented on June 1, 2024
Well, there is a conceptional issue with acme4jv2... The first create account call correctly returned a 409 Conflict, and a location header that points to the correct account id 5355059. acme4j should be able to handle this situation correctly, and at least return that location URL somewhere.
The Session, KID and existing account handling really needs some improvement.
from acme4j.
Related Issues (20)
- Intermediate certificate required. Unable to get issuer certificate. HOT 6
- RFC8823: acme4j response does not match CA expectation HOT 8
- [Feature request / acme4j-smime] Add support for S/MIME validation HOT 16
- Create order failing with AcmeServerException without any exception message HOT 2
- Getting Unable to get local issuer certificate HOT 3
- Android: order is valid however certificate chain is not correctly downloaded HOT 19
- Allow to set a complete X500Name to CSRBuilder in addition to the single set-methods HOT 5
- [Feature request / acme4j] Allow to access delegations HOT 1
- Remove service loader mechanism HOT 3
- Did you find any provider for RFC8823 support / email-reply-00 challenges? HOT 4
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Can only parse traditional files HOT 2
- EAB HMAC keys with arbitrary lengths HOT 5
- CVE-2023-33201 from Bouncy Castle HOT 8
- add utils to do pre validation or help
- How to check if certificate needs renewal without ordering a new one? HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.