I tried deactivating my valid authorization with the following script:
#!/bin/bash
request_body='{"resource": "authz", "status":"deactivated"}'
# Sign the request body using the private key and the RS256 algorithm
signature=$(echo -n "$request_body" | openssl dgst -sha256 -sign pkey.pem | base64)
# Encode the signature using the Base64url encoding format
encoded_signature=$(echo "$signature" | tr '+/' '-_' | tr -d '=')
# Create the JWS by concatenating the encoded signature and the request body string
jws="$encoded_signature.$request_body"
# Send the JWS in the request body of a POST request to deactivate the authorization
curl -X POST -H 'Content-Type: application/jose+json' -d "$jws" "https://acme-v02.api.letsencrypt.org/acme/authz-v3/<authz-id>"
am I doing this correctly? In another issue they mentioned that the POST request needs to be "correctly signed". If I am doing this wrong then what is the correct process?
The JWS must be in "Flattened JWS JSON Serialization Syntax".
You're missing the protected field in the JWS.
The resource field in the request body is from ACMEv1 and is not part of RFC8555/ACMEv2.
It might help to read 6.2. Request Authentication and 7.5.2. Deactivating an Authorization and to also look at the code of some existing ACMEv2 clients or libraries to see how it's meant to work. Trying to get the JOSE parts correct from scratch is super daunting and it's much easier to copy an implementation.