Account Key Roll-over 500 Errors in ACME V2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: N/A

I ran this command: I post data to /acme/key-change

It produced this output: 500 Error

inputData: ‘"{“resource”: “key-change”,“payload”:“eyJhY2NvdW50IjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzEiLCJvbGRLZXkiOnsia3R5IjoiUlNBIiwibiI6IkFNaTQ2SVJ6WnU3N2NXNno0emlsaHhDWl9RSTVGbVh0NmJUOUQyamNXRktDeHIxRndmcnE3SGc1akdoZHZUWWRSLU0xczRJU2pzd2lpUGpWcllYOXFPWUNYWngtci1SU2djOFZlRFM3cVV0dEVjMG9tYlNObE11d3VVNkFWRVhlVFBfVkZtaGFyd1pCQ3RrdUtjSE9NSjA1Y0VyeHZ2OXBPTmxvd2t2V0hjUl9HOG9vMWVqM3hQX1NrQjQ2RjU3bm43T19mdS1PS2Y3M05oLW5pS3ZiMTlwc3ZnZTREUXVvWmdRcTV3aktPREN1bURoNUFKaXpLVmRhaXNObGNyMjZLRVJoU0ZhWmk5dUo3eTE3cktuNmdvZGJHUGhMOFp1ZGFyZjY2cHdjamkxZFlmNUw5TmRYZHdxZHZfNll2c2JEZjJnUlFHWnlBUC11YlJkVTRVVk1CWjAiLCJlIjoiQVFBQiJ9fQ”,“protected”:“eyJqd2siOnsia3R5IjoiUlNBIiwibiI6IkFMUlJIUVB2bnZXdDZrdEdYMWNzV3VXZUZSckhCZ096bUxFUGJjaHRRZlYzeW1zVXNHeWV0UXk4Z0tvQllWNTgzNmpqb3E0X0w0c3o2T3NzQ3JaVzdEMWtfYzQyT1JuMmo1SlctMWVRYVA3TGJSX045aXVudGRmdG4wdlc1aF9pNGgyUlNOZklUZ010SzlMcXRmOGkxczFyMG5UWmxJVGlfYllBRzBsVU45Qm5JbWNTa3RMZzFFOEh5S1Y5dWlBdUlzZExCRWd5TldTTDBMNmtqbG0wR0V6VWZ2VGoxdkwtWkROUWNtNkVNZlh6SGdnZW04a2dlQTcwV0VHN1JLRWVlbHExOHRnYmFYVmI5QllPaWUyM2pzbmg3clhxUDhxVU14VWdVbVRhVlVaZWU0UTY1TjZjVFh6ZXptYlBGMTdVMWduM0lUb055T212dlVXMElvRkpqbE0iLCJlIjoiQVFBQiJ9LCJhbGciOiJSUzI1NiJ9”,“signature”:“GETdMMBlVpnGeUF4b68S9-EHXQw1M_I0Jh5c2Nm97IE3-IzKy5trwhRrOXmIwfU60M3vdrfQNehfCyZHC74nNd5EMa8Xh5KhyzW9m7rrmDwQKIHLZhtPEqmZ9JXrn_jhkkHxAiRvpKOcpqR3bq0akb66wiKfNy06qbyyKRh_ENgrEVCDEEDFmpF6CeOgKdXhcP0u2p-eR_ku9fwk3UZM04m11VpcGRgp06VUtZ2fOeZDs1jbNZS5NlnVwEm-zdGH7AQukID_xCgHkb9rW7RCi-1uDfHMTIQu2VJCrEl8QKlQdefkYVrp3RnESiaDKwCTKEkBc5KJq5ETVh3yhLLZGg”}"’

payload: eyJub25jZSI6ImhMSVVNNDRuMzN2bHlmdm9XUWh0V0Y2MXVvNExEUVRiVHREZWl3dG5zbkkiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUva2V5LWNoYW5nZSIsImtpZCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUvYWNjdC8yIn0.eyJyZXNvdXJjZSI6ICJrZXktY2hhbmdlIiwicGF5bG9hZCI6ImV5SmhZMk52ZFc1MElqb2lhSFIwY0hNNkx5OWhZMjFsTFhZd01pNWhjR2t1YkdWMGMyVnVZM0o1Y0hRdWIzSm5MMkZqYldVdllXTmpkQzh4TXpFaUxDSnZiR1JMWlhraU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk5hVFEyU1ZKNlduVTNOMk5YTm5vMGVtbHNhSGhEV2w5UlNUVkdiVmgwTm1KVU9VUXlhbU5YUmt0RGVISXhSbmRtY25FM1NHYzFha2RvWkhaVVdXUlNMVTB4Y3pSSlUycHpkMmxwVUdwV2NsbFlPWEZQV1VOWVduZ3RjaTFTVTJkak9GWmxSRk0zY1ZWMGRFVmpNRzl0WWxOT2JFMTFkM1ZWTmtGV1JWaGxWRkJmVmtadGFHRnlkMXBDUTNScmRVdGpTRTlOU2pBMVkwVnllSFoyT1hCUFRteHZkMnQyVjBoalVsOUhPRzl2TVdWcU0zaFFYMU5yUWpRMlJqVTNibTQzVDE5bWRTMVBTMlkzTTA1b0xXNXBTM1ppTVRsd2MzWm5aVFJFVVhWdldtZFJjVFYzYWt0UFJFTjFiVVJvTlVGS2FYcExWbVJoYVhOT2JHTnlNalpMUlZKb1UwWmhXbWs1ZFVvM2VURTNja3R1Tm1kdlpHSkhVR2hNT0ZwMVpHRnlaalkyY0hkamFta3haRmxtTlV3NVRtUllaSGR4WkhaZk5sbDJjMkpFWmpKblVsRkhXbmxCVUMxMVlsSmtWVFJWVmsxQ1dqQWlMQ0psSWpvaVFWRkJRaUo5ZlEiLCJwcm90ZWN0ZWQiOiJleUpxZDJzaU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk1VbEpJVVZCMmJuWlhkRFpyZEVkWU1XTnpWM1ZYWlVaU2NraENaMDk2YlV4RlVHSmphSFJSWmxZemVXMXpWWE5IZVdWMFVYazRaMHR2UWxsV05UZ3pObXBxYjNFMFgwdzBjM28yVDNOelEzSmFWemRFTVd0Zll6UXlUMUp1TW1vMVNsY3RNV1ZSWVZBM1RHSlNYMDQ1YVhWdWRHUm1kRzR3ZGxjMWFGOXBOR2d5VWxOT1prbFVaMDEwU3psTWNYUm1PR2t4Y3pGeU1HNVVXbXhKVkdsZllsbEJSekJzVlU0NVFtNUpiV05UYTNSTVp6RkZPRWg1UzFZNWRXbEJkVWx6WkV4Q1JXZDVUbGRUVERCTU5tdHFiRzB3UjBWNlZXWjJWR294ZGt3dFdrUk9VV050TmtWTlpsaDZTR2RuWlcwNGEyZGxRVGN3VjBWSE4xSkxSV1ZsYkhFeE9IUm5ZbUZZVm1JNVFsbFBhV1V5TTJwemJtZzNjbGh4VURoeFZVMTRWV2RWYlZSaFZsVmFaV1UwVVRZMVRqWmpWRmg2WlhwdFlsQkdNVGRWTVdkdU0wbFViMDU1VDIxMmRsVlhNRWx2UmtwcWJFMGlMQ0psSWpvaVFWRkJRaUo5TENKaGJHY2lPaUpTVXpJMU5pSjkiLCJzaWduYXR1cmUiOiJHRVRkTU1CbFZwbkdlVUY0YjY4UzktRUhYUXcxTV9JMEpoNWMyTm05N0lFMy1Jekt5NXRyd2hSck9YbUl3ZlU2ME0zdmRyZlFOZWhmQ3laSEM3NG5OZDVFTWE4WGg1S2h5elc5bTdycm1Ed1FLSUhMWmh0UEVxbVo5Slhybl9qaGtrSHhBaVJ2cEtPY3BxUjNicTBha2I2NndpS2ZOeTA2cWJ5eUtSaF9FTmdyRVZDREVFREZtcEY2Q2VPZ0tkWGhjUDB1MnAtZVJfa3U5ZndrM1VaTTA0bTExVnBjR1JncDA2VlV0WjJmT2VaRHMxamJOWlM1TmxuVndFbS16ZEdIN0FRdWtJRF94Q2dIa2I5clc3UkNpLTF1RGZITVRJUXUyVkpDckVsOFFLbFFkZWZrWVZycDNSbkVTaWFES3dDVEtFa0JjNUtKcTVFVFZoM3loTExaR2cifQ.SooLqxzKPc8euXtPMN2u7NW4EwC3KV_SLEF31kWyr_jSQiHic2SfxH8BRycnV0crl1b8bbExHOk0lGEv7r7BZ6VjoSxNpf_anMtBkwgr4cloEv06UW9SM7nTBAUxtbDyYwPBoHO6VgvzXRXN1l3xMUGf534XFooFKkLppu0EHlUjzDiASdsnro9GQXp10iyVSb9zTnPq7EddvJGKmYo67U29YAUBVwXro4FxTehMoKrLjzK2osDazgBOUjWbyY06Wtr7kmFZ49n-_49bBg83WmLOGGmApOyg_NX4CNCUv9tmtjb3QOyVF6yFpVEZlreuxsoU6FBfVJfB91kb_L5ayQ

body: ‘{“payload”:“eyJyZXNvdXJjZSI6ICJrZXktY2hhbmdlIiwicGF5bG9hZCI6ImV5SmhZMk52ZFc1MElqb2lhSFIwY0hNNkx5OWhZMjFsTFhZd01pNWhjR2t1YkdWMGMyVnVZM0o1Y0hRdWIzSm5MMkZqYldVdllXTmpkQzh4TXpFaUxDSnZiR1JMWlhraU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk5hVFEyU1ZKNlduVTNOMk5YTm5vMGVtbHNhSGhEV2w5UlNUVkdiVmgwTm1KVU9VUXlhbU5YUmt0RGVISXhSbmRtY25FM1NHYzFha2RvWkhaVVdXUlNMVTB4Y3pSSlUycHpkMmxwVUdwV2NsbFlPWEZQV1VOWVduZ3RjaTFTVTJkak9GWmxSRk0zY1ZWMGRFVmpNRzl0WWxOT2JFMTFkM1ZWTmtGV1JWaGxWRkJmVmtadGFHRnlkMXBDUTNScmRVdGpTRTlOU2pBMVkwVnllSFoyT1hCUFRteHZkMnQyVjBoalVsOUhPRzl2TVdWcU0zaFFYMU5yUWpRMlJqVTNibTQzVDE5bWRTMVBTMlkzTTA1b0xXNXBTM1ppTVRsd2MzWm5aVFJFVVhWdldtZFJjVFYzYWt0UFJFTjFiVVJvTlVGS2FYcExWbVJoYVhOT2JHTnlNalpMUlZKb1UwWmhXbWs1ZFVvM2VURTNja3R1Tm1kdlpHSkhVR2hNT0ZwMVpHRnlaalkyY0hkamFta3haRmxtTlV3NVRtUllaSGR4WkhaZk5sbDJjMkpFWmpKblVsRkhXbmxCVUMxMVlsSmtWVFJWVmsxQ1dqQWlMQ0psSWpvaVFWRkJRaUo5ZlEiLCJwcm90ZWN0ZWQiOiJleUpxZDJzaU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk1VbEpJVVZCMmJuWlhkRFpyZEVkWU1XTnpWM1ZYWlVaU2NraENaMDk2YlV4RlVHSmphSFJSWmxZemVXMXpWWE5IZVdWMFVYazRaMHR2UWxsV05UZ3pObXBxYjNFMFgwdzBjM28yVDNOelEzSmFWemRFTVd0Zll6UXlUMUp1TW1vMVNsY3RNV1ZSWVZBM1RHSlNYMDQ1YVhWdWRHUm1kRzR3ZGxjMWFGOXBOR2d5VWxOT1prbFVaMDEwU3psTWNYUm1PR2t4Y3pGeU1HNVVXbXhKVkdsZllsbEJSekJzVlU0NVFtNUpiV05UYTNSTVp6RkZPRWg1UzFZNWRXbEJkVWx6WkV4Q1JXZDVUbGRUVERCTU5tdHFiRzB3UjBWNlZXWjJWR294ZGt3dFdrUk9VV050TmtWTlpsaDZTR2RuWlcwNGEyZGxRVGN3VjBWSE4xSkxSV1ZsYkhFeE9IUm5ZbUZZVm1JNVFsbFBhV1V5TTJwemJtZzNjbGh4VURoeFZVMTRWV2RWYlZSaFZsVmFaV1UwVVRZMVRqWmpWRmg2WlhwdFlsQkdNVGRWTVdkdU0wbFViMDU1VDIxMmRsVlhNRWx2UmtwcWJFMGlMQ0psSWpvaVFWRkJRaUo5TENKaGJHY2lPaUpTVXpJMU5pSjkiLCJzaWduYXR1cmUiOiJHRVRkTU1CbFZwbkdlVUY0YjY4UzktRUhYUXcxTV9JMEpoNWMyTm05N0lFMy1Jekt5NXRyd2hSck9YbUl3ZlU2ME0zdmRyZlFOZWhmQ3laSEM3NG5OZDVFTWE4WGg1S2h5elc5bTdycm1Ed1FLSUhMWmh0UEVxbVo5Slhybl9qaGtrSHhBaVJ2cEtPY3BxUjNicTBha2I2NndpS2ZOeTA2cWJ5eUtSaF9FTmdyRVZDREVFREZtcEY2Q2VPZ0tkWGhjUDB1MnAtZVJfa3U5ZndrM1VaTTA0bTExVnBjR1JncDA2VlV0WjJmT2VaRHMxamJOWlM1TmxuVndFbS16ZEdIN0FRdWtJRF94Q2dIa2I5clc3UkNpLTF1RGZITVRJUXUyVkpDckVsOFFLbFFkZWZrWVZycDNSbkVTaWFES3dDVEtFa0JjNUtKcTVFVFZoM3loTExaR2cifQ”,“protected”:“eyJub25jZSI6ImhMSVVNNDRuMzN2bHlmdm9XUWh0V0Y2MXVvNExEUVRiVHREZWl3dG5zbkkiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUva2V5LWNoYW5nZSIsImtpZCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUvYWNjdC8yIn0”,“signature”:“SooLqxzKPc8euXtPMN2u7NW4EwC3KV_SLEF31kWyr_jSQiHic2SfxH8BRycnV0crl1b8bbExHOk0lGEv7r7BZ6VjoSxNpf_anMtBkwgr4cloEv06UW9SM7nTBAUxtbDyYwPBoHO6VgvzXRXN1l3xMUGf534XFooFKkLppu0EHlUjzDiASdsnro9GQXp10iyVSb9zTnPq7EddvJGKmYo67U29YAUBVwXro4FxTehMoKrLjzK2osDazgBOUjWbyY06Wtr7kmFZ49n-_49bBg83WmLOGGmApOyg_NX4CNCUv9tmtjb3QOyVF6yFpVEZlreuxsoU6FBfVJfB91kb_L5ayQ”}’

responseCode: ‘500’

headers: HttpHeaders({})

response: ‘’

data: None

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

More background:
We had ACME-V1 key-change worked for quite a while, but now we are migrating to use ACME-V2 API.
I have post data according to the spec: https://tools.ietf.org/html/draft-ietf-acme-acme-18

POST /acme/key-change HTTP/1.1
Host: example.com
Content-Type: application/jose+json

{
“protected”: base64url({
“alg”: “ES256”,
“kid”: “https://example.com/acme/acct/evOfKhNU60wg”,
“nonce”: “S9XaOcxP5McpnTcWPIhYuB”,
“url”: “https://example.com/acme/key-change
}),
“payload”: base64url({
“protected”: base64url({
“alg”: “ES256”,
“jwk”: /* new key /,
“url”: “https://example.com/acme/key-change
}),
“payload”: base64url({
“account”: “https://example.com/acme/acct/evOfKhNU60wg”,
“oldKey”: /
old key */
}),
“signature”: “Xe8B94RD30Azj2ea…8BmZIRtcSKPSd8gU”
}),
“signature”: “5TWiqIYQfIDfALQv…x9C2mg8JGPxl5bI4”
}

Please help on how and where I can check what is wrong.

Your payload appears to be in “JWS Compact Serialization” (https://tools.ietf.org/html/rfc7515#section-7.1), which is the three base64url’d components concatenated together using a period (.).

You need to be using “Flattened JWS Serialization” (https://tools.ietf.org/html/rfc7515#section-7.2.2).

I’m not sure if that the source of your HTTP 500 given that you haven’t provided the error message accompanying the HTTP 500, but that’s a start for you.

1 Like

Hi, Thank you very much for the reply. But I am not sure if that is the issue, we have been using the same JWS generation for other ACME V2 APIs without problems, We also have been using this same JWS generation for ACME V1 key-change API without problems.

Another thing is regarding HTTP 500, I did not receive any error message accompanying the HTTP 500, Do you know where I can find more information about it? We have our own boulder server, and this testing has been on our dev boulder, so we have access to the boulder logs, I just don’t know where to look, can someone help? Thanks!

You are right, sorry. I got confused by you posting the JWS in compact format. You did encode it correctly in the request body itself.

I think I have found the problem.

it is not a true HTTP 500. I think Boulder is actually panicing and not producing any response, and your HTTP client library is just labeling it a 500, even though nothing was sent on the wire.

The problem with your request is an account kid/URL mismatch.

In your outer JWS’ protected data:

  "kid": "http://qa-le-app01.bos01.corp.akadevqa.com:4001/acme/acct/2"

In your inner JWS’ payload:

  "account": "https://acme-v02.api.letsencrypt.org/acme/acct/131",

These are supposed to be the same.

So, moving onto the question: why does Boulder not produced an HTTP 400 ACME “malformed” error?

I believe there is a bug in Boulder’s error checking:

matchJWSURLs returns a ProblemDetails. Except, the way it is being called, the error is not being assigned to prob.

As a result, L729 is effectively:

return nil, nil

which leads to a nil pointer dereference panic on L1001 here:

As a result of the panic, no HTTP response is written on the wire.

Furthermore, no panic is printed to the Boulder logs (or at least, i can’t see it anywhere - perhaps in production they ship it somewhere).

tl;dr; Try fixing your account URL/kids so they match in the inner/outer JWS.

/cc @jsha

5 Likes

Thanks for the investigation and the excellent bug report, @_az! I agree with your assessment and I’ve filed a corresponding issue at https://github.com/letsencrypt/boulder/issues/4751.

4 Likes

Hi, I tried again with the suggestion of inner payload(account == kid), but I still end up with a 500 error.
Here is the request:


time: 2020-04-21T20:55:15,484

jobId:

uuid: 88b14672-f35f-4f07-a26f-0082f2ee7032

logLine: Rotate Key. Details at 88b14672-f35f-4f07-a26f-0082f2ee7032 in LeTrafficLog

uri: http://qa-le-app01.bos01.corp.akadevqa.com:4001/acme/key-change

inputData: ‘"{“resource”: “key-change”,“payload”:“eyJhY2NvdW50IjoiaHR0cDovL3FhLWxlLWFwcDAxLmJvczAxLmNvcnAuYWthZGV2cWEuY29tOjQwMDEvYWNtZS9hY2N0LzIiLCJvbGRLZXkiOnsia3R5IjoiUlNBIiwibiI6IkFNaTQ2SVJ6WnU3N2NXNno0emlsaHhDWl9RSTVGbVh0NmJUOUQyamNXRktDeHIxRndmcnE3SGc1akdoZHZUWWRSLU0xczRJU2pzd2lpUGpWcllYOXFPWUNYWngtci1SU2djOFZlRFM3cVV0dEVjMG9tYlNObE11d3VVNkFWRVhlVFBfVkZtaGFyd1pCQ3RrdUtjSE9NSjA1Y0VyeHZ2OXBPTmxvd2t2V0hjUl9HOG9vMWVqM3hQX1NrQjQ2RjU3bm43T19mdS1PS2Y3M05oLW5pS3ZiMTlwc3ZnZTREUXVvWmdRcTV3aktPREN1bURoNUFKaXpLVmRhaXNObGNyMjZLRVJoU0ZhWmk5dUo3eTE3cktuNmdvZGJHUGhMOFp1ZGFyZjY2cHdjamkxZFlmNUw5TmRYZHdxZHZfNll2c2JEZjJnUlFHWnlBUC11YlJkVTRVVk1CWjAiLCJlIjoiQVFBQiJ9fQ”,“protected”:“eyJqd2siOnsia3R5IjoiUlNBIiwibiI6IkFMUlJIUVB2bnZXdDZrdEdYMWNzV3VXZUZSckhCZ096bUxFUGJjaHRRZlYzeW1zVXNHeWV0UXk4Z0tvQllWNTgzNmpqb3E0X0w0c3o2T3NzQ3JaVzdEMWtfYzQyT1JuMmo1SlctMWVRYVA3TGJSX045aXVudGRmdG4wdlc1aF9pNGgyUlNOZklUZ010SzlMcXRmOGkxczFyMG5UWmxJVGlfYllBRzBsVU45Qm5JbWNTa3RMZzFFOEh5S1Y5dWlBdUlzZExCRWd5TldTTDBMNmtqbG0wR0V6VWZ2VGoxdkwtWkROUWNtNkVNZlh6SGdnZW04a2dlQTcwV0VHN1JLRWVlbHExOHRnYmFYVmI5QllPaWUyM2pzbmg3clhxUDhxVU14VWdVbVRhVlVaZWU0UTY1TjZjVFh6ZXptYlBGMTdVMWduM0lUb055T212dlVXMElvRkpqbE0iLCJlIjoiQVFBQiJ9LCJhbGciOiJSUzI1NiJ9”,“signature”:“k93Ej7tGhq9yeq3TGL3PXKlpRCsASrbrMkO8ikM-6MwoqtiNlvfo506P2PfA80UixpKaKY49GqIPr4RlX8aw-Wy3XPsZU_N5scQ6x1q4fSclRsDBwC386jvJHVynPsR9FlnfYoAPbWpeVDwF3VGAM28cb6gOqGSE48uyXb8qDmzCI3READbOYvRLUiQJwj3D3Sk1oUFWOCwjmfizWEzQY-tOVRAEY1WxGAUPlHDJGbHd3S-hgx1BS-Gw_PWhjgMyEvYIU6R7g1er-ZuOw2M_0x8f14GSdWYWToacg1dtwcDzAfb2wOBBkZcWwIMYOdnJNFdqCKS2CdI4luiDNZXd-w”}"’

payload: eyJub25jZSI6IjJSUVFyaFB4dTJ2OVJkeEVPYkNKMXZ5ZlVMWTl3eEQtcEVqTFZEYlRYS0UiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUva2V5LWNoYW5nZSIsImtpZCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUvYWNjdC8yIn0.eyJyZXNvdXJjZSI6ICJrZXktY2hhbmdlIiwicGF5bG9hZCI6ImV5SmhZMk52ZFc1MElqb2lhSFIwY0RvdkwzRmhMV3hsTFdGd2NEQXhMbUp2Y3pBeExtTnZjbkF1WVd0aFpHVjJjV0V1WTI5dE9qUXdNREV2WVdOdFpTOWhZMk4wTHpJaUxDSnZiR1JMWlhraU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk5hVFEyU1ZKNlduVTNOMk5YTm5vMGVtbHNhSGhEV2w5UlNUVkdiVmgwTm1KVU9VUXlhbU5YUmt0RGVISXhSbmRtY25FM1NHYzFha2RvWkhaVVdXUlNMVTB4Y3pSSlUycHpkMmxwVUdwV2NsbFlPWEZQV1VOWVduZ3RjaTFTVTJkak9GWmxSRk0zY1ZWMGRFVmpNRzl0WWxOT2JFMTFkM1ZWTmtGV1JWaGxWRkJmVmtadGFHRnlkMXBDUTNScmRVdGpTRTlOU2pBMVkwVnllSFoyT1hCUFRteHZkMnQyVjBoalVsOUhPRzl2TVdWcU0zaFFYMU5yUWpRMlJqVTNibTQzVDE5bWRTMVBTMlkzTTA1b0xXNXBTM1ppTVRsd2MzWm5aVFJFVVhWdldtZFJjVFYzYWt0UFJFTjFiVVJvTlVGS2FYcExWbVJoYVhOT2JHTnlNalpMUlZKb1UwWmhXbWs1ZFVvM2VURTNja3R1Tm1kdlpHSkhVR2hNT0ZwMVpHRnlaalkyY0hkamFta3haRmxtTlV3NVRtUllaSGR4WkhaZk5sbDJjMkpFWmpKblVsRkhXbmxCVUMxMVlsSmtWVFJWVmsxQ1dqQWlMQ0psSWpvaVFWRkJRaUo5ZlEiLCJwcm90ZWN0ZWQiOiJleUpxZDJzaU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk1VbEpJVVZCMmJuWlhkRFpyZEVkWU1XTnpWM1ZYWlVaU2NraENaMDk2YlV4RlVHSmphSFJSWmxZemVXMXpWWE5IZVdWMFVYazRaMHR2UWxsV05UZ3pObXBxYjNFMFgwdzBjM28yVDNOelEzSmFWemRFTVd0Zll6UXlUMUp1TW1vMVNsY3RNV1ZSWVZBM1RHSlNYMDQ1YVhWdWRHUm1kRzR3ZGxjMWFGOXBOR2d5VWxOT1prbFVaMDEwU3psTWNYUm1PR2t4Y3pGeU1HNVVXbXhKVkdsZllsbEJSekJzVlU0NVFtNUpiV05UYTNSTVp6RkZPRWg1UzFZNWRXbEJkVWx6WkV4Q1JXZDVUbGRUVERCTU5tdHFiRzB3UjBWNlZXWjJWR294ZGt3dFdrUk9VV050TmtWTlpsaDZTR2RuWlcwNGEyZGxRVGN3VjBWSE4xSkxSV1ZsYkhFeE9IUm5ZbUZZVm1JNVFsbFBhV1V5TTJwemJtZzNjbGh4VURoeFZVMTRWV2RWYlZSaFZsVmFaV1UwVVRZMVRqWmpWRmg2WlhwdFlsQkdNVGRWTVdkdU0wbFViMDU1VDIxMmRsVlhNRWx2UmtwcWJFMGlMQ0psSWpvaVFWRkJRaUo5TENKaGJHY2lPaUpTVXpJMU5pSjkiLCJzaWduYXR1cmUiOiJrOTNFajd0R2hxOXllcTNUR0wzUFhLbHBSQ3NBU3Jick1rTzhpa00tNk13b3F0aU5sdmZvNTA2UDJQZkE4MFVpeHBLYUtZNDlHcUlQcjRSbFg4YXctV3kzWFBzWlVfTjVzY1E2eDFxNGZTY2xSc0RCd0MzODZqdkpIVnluUHNSOUZsbmZZb0FQYldwZVZEd0YzVkdBTTI4Y2I2Z09xR1NFNDh1eVhiOHFEbXpDSTNSRUFEYk9ZdlJMVWlRSndqM0QzU2sxb1VGV09Dd2ptZml6V0V6UVktdE9WUkFFWTFXeEdBVVBsSERKR2JIZDNTLWhneDFCUy1Hd19QV2hqZ015RXZZSVU2UjdnMWVyLVp1T3cyTV8weDhmMTRHU2RXWVdUb2FjZzFkdHdjRHpBZmIyd09CQmtaY1d3SU1ZT2RuSk5GZHFDS1MyQ2RJNGx1aUROWlhkLXcifQ.keAhIbUHho8OPVBLZqWii9YNVjJSfRcnGjF_ot44iJqbZR6YYGk3sATwLQ9an0JmfYYkAByoG0stAg5CwBmWesuas5KKAT9vRWPraXd5uws1INPKZgjvm4moftF1cz0LE1DhabB0jPxLd-4BGfl4irpy40mEf9jDt-tQyB5AV_AeK6OZxmUBcmztgZXHxnyl7a3wIR3LWgGGdi6wqk19Oim83qlpyb80lkyxvJfSdMWA3FRtv2Ib454_id1bnr5lnp3H7x-U5NgBTnpQUfHiM7i-HCLPSa9Mysb-vL9eshNHftMOo_o0-tJKxmG_fNHgcLASB_N6Bv_LSW-brntYAQ

body: ‘{“payload”:“eyJyZXNvdXJjZSI6ICJrZXktY2hhbmdlIiwicGF5bG9hZCI6ImV5SmhZMk52ZFc1MElqb2lhSFIwY0RvdkwzRmhMV3hsTFdGd2NEQXhMbUp2Y3pBeExtTnZjbkF1WVd0aFpHVjJjV0V1WTI5dE9qUXdNREV2WVdOdFpTOWhZMk4wTHpJaUxDSnZiR1JMWlhraU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk5hVFEyU1ZKNlduVTNOMk5YTm5vMGVtbHNhSGhEV2w5UlNUVkdiVmgwTm1KVU9VUXlhbU5YUmt0RGVISXhSbmRtY25FM1NHYzFha2RvWkhaVVdXUlNMVTB4Y3pSSlUycHpkMmxwVUdwV2NsbFlPWEZQV1VOWVduZ3RjaTFTVTJkak9GWmxSRk0zY1ZWMGRFVmpNRzl0WWxOT2JFMTFkM1ZWTmtGV1JWaGxWRkJmVmtadGFHRnlkMXBDUTNScmRVdGpTRTlOU2pBMVkwVnllSFoyT1hCUFRteHZkMnQyVjBoalVsOUhPRzl2TVdWcU0zaFFYMU5yUWpRMlJqVTNibTQzVDE5bWRTMVBTMlkzTTA1b0xXNXBTM1ppTVRsd2MzWm5aVFJFVVhWdldtZFJjVFYzYWt0UFJFTjFiVVJvTlVGS2FYcExWbVJoYVhOT2JHTnlNalpMUlZKb1UwWmhXbWs1ZFVvM2VURTNja3R1Tm1kdlpHSkhVR2hNT0ZwMVpHRnlaalkyY0hkamFta3haRmxtTlV3NVRtUllaSGR4WkhaZk5sbDJjMkpFWmpKblVsRkhXbmxCVUMxMVlsSmtWVFJWVmsxQ1dqQWlMQ0psSWpvaVFWRkJRaUo5ZlEiLCJwcm90ZWN0ZWQiOiJleUpxZDJzaU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk1VbEpJVVZCMmJuWlhkRFpyZEVkWU1XTnpWM1ZYWlVaU2NraENaMDk2YlV4RlVHSmphSFJSWmxZemVXMXpWWE5IZVdWMFVYazRaMHR2UWxsV05UZ3pObXBxYjNFMFgwdzBjM28yVDNOelEzSmFWemRFTVd0Zll6UXlUMUp1TW1vMVNsY3RNV1ZSWVZBM1RHSlNYMDQ1YVhWdWRHUm1kRzR3ZGxjMWFGOXBOR2d5VWxOT1prbFVaMDEwU3psTWNYUm1PR2t4Y3pGeU1HNVVXbXhKVkdsZllsbEJSekJzVlU0NVFtNUpiV05UYTNSTVp6RkZPRWg1UzFZNWRXbEJkVWx6WkV4Q1JXZDVUbGRUVERCTU5tdHFiRzB3UjBWNlZXWjJWR294ZGt3dFdrUk9VV050TmtWTlpsaDZTR2RuWlcwNGEyZGxRVGN3VjBWSE4xSkxSV1ZsYkhFeE9IUm5ZbUZZVm1JNVFsbFBhV1V5TTJwemJtZzNjbGh4VURoeFZVMTRWV2RWYlZSaFZsVmFaV1UwVVRZMVRqWmpWRmg2WlhwdFlsQkdNVGRWTVdkdU0wbFViMDU1VDIxMmRsVlhNRWx2UmtwcWJFMGlMQ0psSWpvaVFWRkJRaUo5TENKaGJHY2lPaUpTVXpJMU5pSjkiLCJzaWduYXR1cmUiOiJrOTNFajd0R2hxOXllcTNUR0wzUFhLbHBSQ3NBU3Jick1rTzhpa00tNk13b3F0aU5sdmZvNTA2UDJQZkE4MFVpeHBLYUtZNDlHcUlQcjRSbFg4YXctV3kzWFBzWlVfTjVzY1E2eDFxNGZTY2xSc0RCd0MzODZqdkpIVnluUHNSOUZsbmZZb0FQYldwZVZEd0YzVkdBTTI4Y2I2Z09xR1NFNDh1eVhiOHFEbXpDSTNSRUFEYk9ZdlJMVWlRSndqM0QzU2sxb1VGV09Dd2ptZml6V0V6UVktdE9WUkFFWTFXeEdBVVBsSERKR2JIZDNTLWhneDFCUy1Hd19QV2hqZ015RXZZSVU2UjdnMWVyLVp1T3cyTV8weDhmMTRHU2RXWVdUb2FjZzFkdHdjRHpBZmIyd09CQmtaY1d3SU1ZT2RuSk5GZHFDS1MyQ2RJNGx1aUROWlhkLXcifQ”,“protected”:“eyJub25jZSI6IjJSUVFyaFB4dTJ2OVJkeEVPYkNKMXZ5ZlVMWTl3eEQtcEVqTFZEYlRYS0UiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUva2V5LWNoYW5nZSIsImtpZCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUvYWNjdC8yIn0”,“signature”:“keAhIbUHho8OPVBLZqWii9YNVjJSfRcnGjF_ot44iJqbZR6YYGk3sATwLQ9an0JmfYYkAByoG0stAg5CwBmWesuas5KKAT9vRWPraXd5uws1INPKZgjvm4moftF1cz0LE1DhabB0jPxLd-4BGfl4irpy40mEf9jDt-tQyB5AV_AeK6OZxmUBcmztgZXHxnyl7a3wIR3LWgGGdi6wqk19Oim83qlpyb80lkyxvJfSdMWA3FRtv2Ib454_id1bnr5lnp3H7x-U5NgBTnpQUfHiM7i-HCLPSa9Mysb-vL9eshNHftMOo_o0-tJKxmG_fNHgcLASB_N6Bv_LSW-brntYAQ”}’

responseCode: ‘500’

headers: HttpHeaders({})

response: ‘’

data: None

I don’t know why you’d get 500 again - I don’t. I get a normal ACME error with your request body.

(edit: Oh - If you have not updated your Boulder to the latest master, then it’d still be crashing, per boulder#4751)

$ curl -i -H 'Content-Type: application/jose+json' --data '{"payload":"eyJyZXNvdXJjZSI6ICJrZXktY2hhbmdlIiwicGF5bG9hZCI6ImV5SmhZMk52ZFc1MElqb2lhSFIwY0RvdkwzRmhMV3hsTFdGd2NEQXhMbUp2Y3pBeExtTnZjbkF1WVd0aFpHVjJjV0V1WTI5dE9qUXdNREV2WVdOdFpTOWhZMk4wTHpJaUxDSnZiR1JMWlhraU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk5hVFEyU1ZKNlduVTNOMk5YTm5vMGVtbHNhSGhEV2w5UlNUVkdiVmgwTm1KVU9VUXlhbU5YUmt0RGVISXhSbmRtY25FM1NHYzFha2RvWkhaVVdXUlNMVTB4Y3pSSlUycHpkMmxwVUdwV2NsbFlPWEZQV1VOWVduZ3RjaTFTVTJkak9GWmxSRk0zY1ZWMGRFVmpNRzl0WWxOT2JFMTFkM1ZWTmtGV1JWaGxWRkJmVmtadGFHRnlkMXBDUTNScmRVdGpTRTlOU2pBMVkwVnllSFoyT1hCUFRteHZkMnQyVjBoalVsOUhPRzl2TVdWcU0zaFFYMU5yUWpRMlJqVTNibTQzVDE5bWRTMVBTMlkzTTA1b0xXNXBTM1ppTVRsd2MzWm5aVFJFVVhWdldtZFJjVFYzYWt0UFJFTjFiVVJvTlVGS2FYcExWbVJoYVhOT2JHTnlNalpMUlZKb1UwWmhXbWs1ZFVvM2VURTNja3R1Tm1kdlpHSkhVR2hNT0ZwMVpHRnlaalkyY0hkamFta3haRmxtTlV3NVRtUllaSGR4WkhaZk5sbDJjMkpFWmpKblVsRkhXbmxCVUMxMVlsSmtWVFJWVmsxQ1dqQWlMQ0psSWpvaVFWRkJRaUo5ZlEiLCJwcm90ZWN0ZWQiOiJleUpxZDJzaU9uc2lhM1I1SWpvaVVsTkJJaXdpYmlJNklrRk1VbEpJVVZCMmJuWlhkRFpyZEVkWU1XTnpWM1ZYWlVaU2NraENaMDk2YlV4RlVHSmphSFJSWmxZemVXMXpWWE5IZVdWMFVYazRaMHR2UWxsV05UZ3pObXBxYjNFMFgwdzBjM28yVDNOelEzSmFWemRFTVd0Zll6UXlUMUp1TW1vMVNsY3RNV1ZSWVZBM1RHSlNYMDQ1YVhWdWRHUm1kRzR3ZGxjMWFGOXBOR2d5VWxOT1prbFVaMDEwU3psTWNYUm1PR2t4Y3pGeU1HNVVXbXhKVkdsZllsbEJSekJzVlU0NVFtNUpiV05UYTNSTVp6RkZPRWg1UzFZNWRXbEJkVWx6WkV4Q1JXZDVUbGRUVERCTU5tdHFiRzB3UjBWNlZXWjJWR294ZGt3dFdrUk9VV050TmtWTlpsaDZTR2RuWlcwNGEyZGxRVGN3VjBWSE4xSkxSV1ZsYkhFeE9IUm5ZbUZZVm1JNVFsbFBhV1V5TTJwemJtZzNjbGh4VURoeFZVMTRWV2RWYlZSaFZsVmFaV1UwVVRZMVRqWmpWRmg2WlhwdFlsQkdNVGRWTVdkdU0wbFViMDU1VDIxMmRsVlhNRWx2UmtwcWJFMGlMQ0psSWpvaVFWRkJRaUo5TENKaGJHY2lPaUpTVXpJMU5pSjkiLCJzaWduYXR1cmUiOiJrOTNFajd0R2hxOXllcTNUR0wzUFhLbHBSQ3NBU3Jick1rTzhpa00tNk13b3F0aU5sdmZvNTA2UDJQZkE4MFVpeHBLYUtZNDlHcUlQcjRSbFg4YXctV3kzWFBzWlVfTjVzY1E2eDFxNGZTY2xSc0RCd0MzODZqdkpIVnluUHNSOUZsbmZZb0FQYldwZVZEd0YzVkdBTTI4Y2I2Z09xR1NFNDh1eVhiOHFEbXpDSTNSRUFEYk9ZdlJMVWlRSndqM0QzU2sxb1VGV09Dd2ptZml6V0V6UVktdE9WUkFFWTFXeEdBVVBsSERKR2JIZDNTLWhneDFCUy1Hd19QV2hqZ015RXZZSVU2UjdnMWVyLVp1T3cyTV8weDhmMTRHU2RXWVdUb2FjZzFkdHdjRHpBZmIyd09CQmtaY1d3SU1ZT2RuSk5GZHFDS1MyQ2RJNGx1aUROWlhkLXcifQ","protected":"eyJub25jZSI6IjJSUVFyaFB4dTJ2OVJkeEVPYkNKMXZ5ZlVMWTl3eEQtcEVqTFZEYlRYS0UiLCJhbGciOiJSUzI1NiIsInVybCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUva2V5LWNoYW5nZSIsImtpZCI6Imh0dHA6Ly9xYS1sZS1hcHAwMS5ib3MwMS5jb3JwLmFrYWRldnFhLmNvbTo0MDAxL2FjbWUvYWNjdC8yIn0","signature":"keAhIbUHho8OPVBLZqWii9YNVjJSfRcnGjF_ot44iJqbZR6YYGk3sATwLQ9an0JmfYYkAByoG0stAg5CwBmWesuas5KKAT9vRWPraXd5uws1INPKZgjvm4moftF1cz0LE1DhabB0jPxLd-4BGfl4irpy40mEf9jDt-tQyB5AV_AeK6OZxmUBcmztgZXHxnyl7a3wIR3LWgGGdi6wqk19Oim83qlpyb80lkyxvJfSdMWA3FRtv2Ib454_id1bnr5lnp3H7x-U5NgBTnpQUfHiM7i-HCLPSa9Mysb-vL9eshNHftMOo_o0-tJKxmG_fNHgcLASB_N6Bv_LSW-brntYAQ"}' -H 'Host: qa-le-app01.bos01.corp.akadevqa.com:4001' http://localhost:4001/acme/key-change
HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Boulder-Requester: 2
Cache-Control: public, max-age=0, no-cache
Content-Type: application/problem+json
Link: <http://qa-le-app01.bos01.corp.akadevqa.com:4001/directory>;rel="index"
Replay-Nonce: nn8oSdFcFVB063b4P9HYEETty5PCdAZWuQGzL5nMGfQ
Date: Tue, 21 Apr 2020 21:49:22 GMT
Content-Length: 126

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Inner JWS header parameter 'url' required",
  "status": 400
}

As you see from the error, your inner JWS is missing the url field in the header.

https://tools.ietf.org/html/rfc8555#section-7.3.5 :

The inner JWS MUST meet the normal
requirements, with the following differences:

o The inner JWS MUST have a “jwk” header parameter, containing the
public key of the new key pair.

o The inner JWS MUST have the same “url” header parameter as the
outer JWS.

o The inner JWS MUST omit the “nonce” header parameter.

2 Likes

Thank you for replying so fast, Let me look into this and try again.

It works!!
Thank you very much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.