Continued 400 errors on 'new account'

Update : got an order in place.

Update : After switching to UrlEncoded Base64 AND fixing the bug with grabbing the nonce, I was able to establish an account. thanks for help.

Update : After changing RSA to RS, I get this : " "detail": "JWS has an invalid anti-replay nonce:"

Update : After fixing errors noticed by Stewe AND UrlEncoding, I get this this, which I will work on now : " "detail": "JWS signature header contains unsupported algorithm "RSA256", expected one of RS256, ES256, ES384 or ES512",
"
keys :
m: 26637489082959053513007586321606659349179714646440762619402693163480501381748487249201030947435509204187975805413919564805000798452427117749266058282845397765948345887662388381815538683185845031345726369261170866353259190886146351396566641988171518751508655012570537303166830121000083382971527706077123261617473519555453301136539234112437532732703497188100835680229324580737044385214720865614472561120158738386350146129527796583136692587736958009602965808540444240932398731361488966500375377956618204764287047256000489619733491115305665796684520149031339715149897553542126093153066759174343717232592641760771232101193
ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=

e: 65537
AQAB

jwk:
{"kty":"RSA",", "n":"ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=", "e":"AQAB"}

header : {"alg":"RSA256", "nonce":"gYWQdAkZgQx04yOluBTRLUGQI_6mGGo24Z_B_IXGasXdZEEm4xs", "url":"https://acme-v02.api.letsencrypt.org/acme/new-acct}","jwk":{"kty":"RSA",", "n":"ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=", "e":"AQAB"}}
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==

{"contact":["mailto:sal.secrets.9@gmail.com"]}
eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==

header.payload
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==.eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==

digest : KJMxEKP23V63kDOrbvH8xzU2mrfQ6mKT/RLexIvuIIo6v5j1Aw1jmdEc5Oc0FQAGuQo6WXo6YORXDVSC2P823qckScdygN9w2xyLETy0P0tx6lfJMayb9A8/Shw+OBZ/HBVAwvC9Wlev3H4BwPUkYn6bAgwVtSlyUgutPE3kwRPBBUSFMc/Pu6TAwT980bB6sa7JR/TsO6WWMei02JlPf0SwIKBPTxT0/B+ji6UVbe65TNB4suSY1IIPOToLjuPkz7wnUS+FVtBrUF22ZhAO3D3XPMfUR0z9gwrd7VdaZtPvLZUDCsJQ82Y4D1mFdrXTL7zz4YiyLP1ovblPsV9ywg==

json :
{"payload":"eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==", "protected":"eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==", "signature":"KJMxEKP23V63kDOrbvH8xzU2mrfQ6mKT/RLexIvuIIo6v5j1Aw1jmdEc5Oc0FQAGuQo6WXo6YORXDVSC2P823qckScdygN9w2xyLETy0P0tx6lfJMayb9A8/Shw+OBZ/HBVAwvC9Wlev3H4BwPUkYn6bAgwVtSlyUgutPE3kwRPBBUSFMc/Pu6TAwT980bB6sa7JR/TsO6WWMei02JlPf0SwIKBPTxT0/B+ji6UVbe65TNB4suSY1IIPOToLjuPkz7wnUS+FVtBrUF22ZhAO3D3XPMfUR0z9gwrd7VdaZtPvLZUDCsJQ82Y4D1mFdrXTL7zz4YiyLP1ovblPsV9ywg=="}

I noticed two things:

{"kty":"RSA",",...
             ^
             |
 single double quotes (invalid JSON)

termsOfServiceAgreed=>true field ist missing (sibling of "contact") in payload.

3 Likes

Good catch, thanks. BUT, repairing both those errors returns the same result. I think I read in another post where they still need to be urlencoded but wondering about that one.

key base64
ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=
AQAB

jwk
{"kty":"RSA", "n":"ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=", "e":"AQAB"}
base64
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsICJuIjoiQUxtRE9TaUovZDc4TWhRZGdBWVdOamh3Unc0ek8rc0FVMzJKZFo0Z1U4S2FoK3lrQlVnblpQMlJRRkxUZUFQMXkvS3lSYjNnYmsxTVRHMVZ5YzdMZk92aW1acHdmWUordDFNR0paeFV0elNHb2kyT2cxajdrbERNWlNmYXdzMk9GWmplZGpmYndnZmd1VjYvSVEzUFF6RG12Y014K0lsNjVPbExIekxxalZwWnhPMHBETSsxS294UjRSRUFGQytvbS8va25pQzlWc0QrS2NHRXBTZlNrUlU0MmE5VW1waVBTU3YzSitpdGdkbG9ZQkg0YmNIQVZQdWc0QjBtYktGZUtFM1NVVmVZTTRWNmNBSW95NTRUenhDOHdyZDVob3FlcldqWllEQ1hHY3BTZC9yejBaYW92SkRKdnBaN1dqaUcxa1Vwd2pxcm0yejViK1YwR0cwV1FjMD0iLCAiZSI6IkFRQUIifX0=

header
{"alg":"RSA256", "nonce":"gYWQdAkZgQx04yOluBTRLUGQI_6mGGo24Z_B_IXGasXdZEEm4xs", "url":"https://acme-v02.api.letsencrypt.org/acme/new-acct}","jwk":{"kty":"RSA", "n":"ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=", "e":"AQAB"}}

payload
{"contact":["mailto:sal.secrets.9@gmail.com"], "termsOfServiceAgreed":true}

1 Like

You have to use base64url-encoding instead of normal base64-encoding:

It is normal base64-encoding with all + replaced by - and all / replaced by _ and the padding = removed:

3 Likes

The error says exactly what is wrong. RSA256 has an extra "A" that doesn't belong. It should be RS256.

5 Likes

This means that JWS signature was successfully verified, because the nonce-check comes after that:

Make sure you get a fresh nonce value for every request.

3 Likes

Every response from the ACME API will include a Replay-Nonce: header for you to use in your next request to the API. This includes the error response when you present an invalid nonce. So when you get the "invalid anti-replay nonce" error, you should simply retry the same request with the new nonce value provided in the error's headers.

Also, it's fine for you to post new questions in the thread, you don't have to keep editing the top post.

4 Likes

Thanks, that seems to have been the solution.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.