Error in official python acme with latest pebble

Hello,
I am using latest pebble from docker hub (v2.0.1) with latest acme (0.33.1).
When I try to do query_registration, the pebble server responds Use POST-as-GET to retrieve account data instead of doing an empty update. The acme client is obviously using post with empty UpdateRegistration message - and pebble is obviously rejecting it. So is this problem with pebble or with acme client?

Thanks

Hi @wmwmw, welcome to the community forum :wave:

Can you share the Python code you wrote using the acme module? I don’t believe the problem is with Pebble. I suspect it’s either your driver code or the acme module.

 directory = acme.messages.Directory(requests.get(config.ACME_DIRECTORY_URL).json())
 net = acme.client.ClientNetwork(key) 
 acme_client = acme.client.ClientV2(directory, net)       
 registration = acme.messages.Registration(key=key, contact=contact)
 rr_data = acme.messages.RegistrationResource(body=registration, uri=reg_uri)
 rr = acme_client.query_registration(rr_data)

It works with older versions - where pebble doesnt reject empty UpdateRegistration messages.

1 Like

Thanks for sharing your code :+1: I’m convinced the bug is in the acme module.

I think the problem is that an empty UpdateRegistration message is not a POST-as-GET request and so Pebble is rightly rejecting it.

An empty registration message will be serialized as {} in the JWS payload. A POST-as-GET request would have a null payload instead. I believe the client.query_registration function you linked to should be using self._post_as_get instead of self._send_recv_regr with an empty message.UpdateRegistration(). The latter behaviour is how Account resources were queried in older (<= draft-14) drafts of ACME. RFC 8555 specifies using POST-as-GET for this which is why Pebble rejects it.

I think this is a real bug/spec divergence in the acme module. Do you want to open an issue with the Certbot maintainers? You should get the credit for discovery :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.