Deactivate authorization

I tried deactivating my valid authorization with the following script:


request_body='{"resource": "authz", "status":"deactivated"}'

# Sign the request body using the private key and the RS256 algorithm
signature=$(echo -n "$request_body" | openssl dgst -sha256 -sign pkey.pem | base64)

# Encode the signature using the Base64url encoding format
encoded_signature=$(echo "$signature" | tr '+/' '-_' | tr -d '=')

# Create the JWS by concatenating the encoded signature and the request body string

# Send the JWS in the request body of a POST request to deactivate the authorization
curl -X POST -H 'Content-Type: application/jose+json' -d "$jws" "<authz-id>"

but all I get back is:

  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400

am I doing this correctly? In another issue they mentioned that the POST request needs to be "correctly signed". If I am doing this wrong then what is the correct process?

There are a few things wrong:

  • The JWS must be in "Flattened JWS JSON Serialization Syntax".
  • You're missing the protected field in the JWS.
  • The resource field in the request body is from ACMEv1 and is not part of RFC8555/ACMEv2.

It might help to read 6.2. Request Authentication and 7.5.2. Deactivating an Authorization and to also look at the code of some existing ACMEv2 clients or libraries to see how it's meant to work. Trying to get the JOSE parts correct from scratch is super daunting and it's much easier to copy an implementation.


thank you for the quick reply @_az . Could you perhaps point me to a specific ACMEv2 client where I can see the JWS generation taking place?

In the meantime I was resorting to creating a python script to do as requested from scratch but no success so far.

1 Like

As you're using bash you might find relevant code examples in the client at master · acmesh-official/ · GitHub


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.