Continued 400 errors on 'new account'

salsecrets · March 11, 2024, 5:25pm

Update : got an order in place.

Update : After switching to UrlEncoded Base64 AND fixing the bug with grabbing the nonce, I was able to establish an account. thanks for help.

Update : After changing RSA to RS, I get this : " "detail": "JWS has an invalid anti-replay nonce:"

Update : After fixing errors noticed by Stewe AND UrlEncoding, I get this this, which I will work on now : " "detail": "JWS signature header contains unsupported algorithm "RSA256", expected one of RS256, ES256, ES384 or ES512",
"
keys :
m: 26637489082959053513007586321606659349179714646440762619402693163480501381748487249201030947435509204187975805413919564805000798452427117749266058282845397765948345887662388381815538683185845031345726369261170866353259190886146351396566641988171518751508655012570537303166830121000083382971527706077123261617473519555453301136539234112437532732703497188100835680229324580737044385214720865614472561120158738386350146129527796583136692587736958009602965808540444240932398731361488966500375377956618204764287047256000489619733491115305665796684520149031339715149897553542126093153066759174343717232592641760771232101193
ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=

e: 65537
AQAB

jwk:
{"kty":"RSA",", "n":"ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=", "e":"AQAB"}

header : {"alg":"RSA256", "nonce":"gYWQdAkZgQx04yOluBTRLUGQI_6mGGo24Z_B_IXGasXdZEEm4xs", "url":"https://acme-v02.api.letsencrypt.org/acme/new-acct}","jwk":{"kty":"RSA",", "n":"ANMCcnh8d7WdueYjBNR9+om/SdUQ5DR9R3iF9G+JjygvOMTie1OEt5WujCGbTrWHi6Fn3s3XjAMgylZPP/1GdF/aaeRjN1dyZTRBu14i/uPukqTTypMIvLDmVhKOxABqWdrtngNj6Uj0LBkUEUP7kcZpv9OMz9y5vDu31ILlW6zwE7K/IRmpGzyVei3YlvUrwNiLP9/aG6qsuOgWpjPhz5/l/FMrXke7I3LXQ0AHwquYYzXj3GFlE/NTwEVSkct0WZY5jHOYQMr5NvKoP/kH6NRFLryOn02rgPFOftsxJpQaGfNIvzUwCotVHKqNqlNgI9fA+XNszEUguuqobo1R80k=", "e":"AQAB"}}
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==

{"contact":["mailto:sal.secrets.9@gmail.com"]}
eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==

header.payload
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==.eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==

digest : KJMxEKP23V63kDOrbvH8xzU2mrfQ6mKT/RLexIvuIIo6v5j1Aw1jmdEc5Oc0FQAGuQo6WXo6YORXDVSC2P823qckScdygN9w2xyLETy0P0tx6lfJMayb9A8/Shw+OBZ/HBVAwvC9Wlev3H4BwPUkYn6bAgwVtSlyUgutPE3kwRPBBUSFMc/Pu6TAwT980bB6sa7JR/TsO6WWMei02JlPf0SwIKBPTxT0/B+ji6UVbe65TNB4suSY1IIPOToLjuPkz7wnUS+FVtBrUF22ZhAO3D3XPMfUR0z9gwrd7VdaZtPvLZUDCsJQ82Y4D1mFdrXTL7zz4YiyLP1ovblPsV9ywg==

json :
{"payload":"eyJjb250YWN0IjpbIm1haWx0bzpzYWwuc2VjcmV0cy45QGdtYWlsLmNvbSJdfQ==", "protected":"eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsIiwgIm4iOiJBTk1DY25oOGQ3V2R1ZVlqQk5SOStvbS9TZFVRNURSOVIzaUY5RytKanlndk9NVGllMU9FdDVXdWpDR2JUcldIaTZGbjNzM1hqQU1neWxaUFAvMUdkRi9hYWVSak4xZHlaVFJCdTE0aS91UHVrcVRUeXBNSXZMRG1WaEtPeEFCcVdkcnRuZ05qNlVqMExCa1VFVVA3a2NacHY5T016OXk1dkR1MzFJTGxXNnp3RTdLL0lSbXBHenlWZWkzWWx2VXJ3TmlMUDkvYUc2cXN1T2dXcGpQaHo1L2wvRk1yWGtlN0kzTFhRMEFId3F1WVl6WGozR0ZsRS9OVHdFVlNrY3QwV1pZNWpIT1lRTXI1TnZLb1Ava0g2TlJGTHJ5T24wMnJnUEZPZnRzeEpwUWFHZk5JdnpVd0NvdFZIS3FOcWxOZ0k5ZkErWE5zekVVZ3V1cW9ibzFSODBrPSIsICJlIjoiQVFBQiJ9fQ==", "signature":"KJMxEKP23V63kDOrbvH8xzU2mrfQ6mKT/RLexIvuIIo6v5j1Aw1jmdEc5Oc0FQAGuQo6WXo6YORXDVSC2P823qckScdygN9w2xyLETy0P0tx6lfJMayb9A8/Shw+OBZ/HBVAwvC9Wlev3H4BwPUkYn6bAgwVtSlyUgutPE3kwRPBBUSFMc/Pu6TAwT980bB6sa7JR/TsO6WWMei02JlPf0SwIKBPTxT0/B+ji6UVbe65TNB4suSY1IIPOToLjuPkz7wnUS+FVtBrUF22ZhAO3D3XPMfUR0z9gwrd7VdaZtPvLZUDCsJQ82Y4D1mFdrXTL7zz4YiyLP1ovblPsV9ywg=="}

stewe · March 11, 2024, 6:42pm

I noticed two things:

{"kty":"RSA",",...
             ^
             |
 single double quotes (invalid JSON)

termsOfServiceAgreed=>true field ist missing (sibling of "contact") in payload.

salsecrets · March 11, 2024, 7:28pm

Good catch, thanks. BUT, repairing both those errors returns the same result. I think I read in another post where they still need to be urlencoded but wondering about that one.

key base64
ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=
AQAB

jwk
{"kty":"RSA", "n":"ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=", "e":"AQAB"}
base64
eyJhbGciOiJSU0EyNTYiLCAibm9uY2UiOiJnWVdRZEFrWmdReDA0eU9sdUJUUkxVR1FJXzZtR0dvMjRaX0JfSVhHYXNYZFpFRW00eHMiLCAidXJsIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3R9IiwiandrIjp7Imt0eSI6IlJTQSIsICJuIjoiQUxtRE9TaUovZDc4TWhRZGdBWVdOamh3Unc0ek8rc0FVMzJKZFo0Z1U4S2FoK3lrQlVnblpQMlJRRkxUZUFQMXkvS3lSYjNnYmsxTVRHMVZ5YzdMZk92aW1acHdmWUordDFNR0paeFV0elNHb2kyT2cxajdrbERNWlNmYXdzMk9GWmplZGpmYndnZmd1VjYvSVEzUFF6RG12Y014K0lsNjVPbExIekxxalZwWnhPMHBETSsxS294UjRSRUFGQytvbS8va25pQzlWc0QrS2NHRXBTZlNrUlU0MmE5VW1waVBTU3YzSitpdGdkbG9ZQkg0YmNIQVZQdWc0QjBtYktGZUtFM1NVVmVZTTRWNmNBSW95NTRUenhDOHdyZDVob3FlcldqWllEQ1hHY3BTZC9yejBaYW92SkRKdnBaN1dqaUcxa1Vwd2pxcm0yejViK1YwR0cwV1FjMD0iLCAiZSI6IkFRQUIifX0=

header
{"alg":"RSA256", "nonce":"gYWQdAkZgQx04yOluBTRLUGQI_6mGGo24Z_B_IXGasXdZEEm4xs", "url":"https://acme-v02.api.letsencrypt.org/acme/new-acct}","jwk":{"kty":"RSA", "n":"ALmDOSiJ/d78MhQdgAYWNjhwRw4zO+sAU32JdZ4gU8Kah+ykBUgnZP2RQFLTeAP1y/KyRb3gbk1MTG1Vyc7LfOvimZpwfYJ+t1MGJZxUtzSGoi2Og1j7klDMZSfaws2OFZjedjfbwgfguV6/IQ3PQzDmvcMx+Il65OlLHzLqjVpZxO0pDM+1KoxR4REAFC+om//kniC9VsD+KcGEpSfSkRU42a9UmpiPSSv3J+itgdloYBH4bcHAVPug4B0mbKFeKE3SUVeYM4V6cAIoy54TzxC8wrd5hoqerWjZYDCXGcpSd/rz0ZaovJDJvpZ7WjiG1kUpwjqrm2z5b+V0GG0WQc0=", "e":"AQAB"}}

payload
{"contact":["mailto:sal.secrets.9@gmail.com"], "termsOfServiceAgreed":true}

stewe · March 11, 2024, 8:06pm

You have to use base64url-encoding instead of normal base64-encoding:

It is normal base64-encoding with all + replaced by - and all / replaced by _ and the padding = removed:

rmbolger · March 11, 2024, 8:06pm

The error says exactly what is wrong. RSA256 has an extra "A" that doesn't belong. It should be RS256.

stewe · March 11, 2024, 9:46pm

This means that JWS signature was successfully verified, because the nonce-check comes after that:

github.com

letsencrypt/boulder/blob/7ddb2be3f950785b1fbf1f7e2f906a5481555565/wfe2/verify.go#L577-L586


      
          	payload, err := jws.Verify(jwk)
          	if err != nil {
          		wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSVerifyFailed"}).Inc()
          		return nil, probs.Malformed("JWS verification error")
          	}
          
          	// Check that the JWS contains a correct Nonce header
          	if prob := wfe.validNonce(ctx, jws.Signatures[0].Header); prob != nil {
          		return nil, prob
          	}

Make sure you get a fresh nonce value for every request.

aarongable · March 11, 2024, 10:25pm

Every response from the ACME API will include a Replay-Nonce: header for you to use in your next request to the API. This includes the error response when you present an invalid nonce. So when you get the "invalid anti-replay nonce" error, you should simply retry the same request with the new nonce value provided in the error's headers.

Also, it's fine for you to post new questions in the thread, you don't have to keep editing the top post.

salsecrets · March 12, 2024, 12:00pm

Thanks, that seems to have been the solution.

system · April 11, 2024, 12:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What does <Parse error reading JWS> exactly mean? Client dev	49	2113	January 10, 2021
PHP, newAccount request, parse error reading JWS Client dev	10	773	January 26, 2024
Large number of malformed JWS verification error Client dev	14	2080	January 29, 2020
Parse error reading JWS Client dev	13	1362	February 7, 2022
{'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'JWS verification error', 'status': 400} with python Client dev	9	654	August 11, 2024

Continued 400 errors on 'new account'

Related topics