Acme new-order requires jwk in jws header?

Hi,

I'm writing my own acme client and I'm testing this against the staging directory of letsencrypt. Following the documentation from the ietf, I implemented getNonce, newAccount and now I am stuck at the newOrder function. According to RFC 8555 - Automatic Certificate Management Environment (ACME), I only need to provide a kid, since I already created a new account. But when I send the payload, I'm getting a Unable to validate JWS :: No embedded JWK in JWS header. Debugging the header results in

map[
   alg:RS256 
   kid:https://acme-staging-v02.api.letsencrypt.org/acme/acct/<accId> 
   nonce:<nonce> 
   url:https://acme-staging-v02.api.letsencrypt.org/acme/new-order
]

This seems the be in order, no? What am I not seeing?

Thanks for your time and have a lovely sunday.

I don't know much about JWK/JWS, but I'm pretty sure you need to sign the new order payload et cetera. Not just provide an URL to your account URI.

I believe almost all posts are signed and that includes post-over-get or how that's called again.

Thank you for your quick answer! I am signing the payload the same way I did with newAccount. I read about the post-over-get so the only endpoint that I am not signing is the getNonce HEAD endpoint

Then I don't know.

To help other volunteers debug, please provide the actual JSON payload please.

sorry, I'm an idiot. The url in the request of the newOrder function was a constant pointing at the same url as newAccount but with correct jws headers, which I used to debug but I obviously didn't see the wrong url as the headers were correct. My bad!

Have you seen Pebble yet? GitHub - letsencrypt/pebble: A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.

It's a lightweight ACME test server that ISRG developed. It is very useful for initial client design and unit tests.