Error while creating new Account "Error unmarshaling JSON"

Hi guys,

I'm currently stucked while trying to register a new account via Powershell.

I'm receiving the follwing error from the staging API

{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Error unmarshaling JSON", "status": 400 }

If build the follwing request so far:

Header:
{
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "oS55XGDffxgfHAOiReDIMgTjQLgGoKIiMpAJGAp5hxwQwuggRfs1g9m7B8V9biZOQERxrc_h6C_jdB-1MCgB0ZuZKeEPw5e-ZuLBgiL1M6uBMEcyHJvV9TcxRd6ilIhZEABD2AKEe96r9JyWMlquvEHmi91WUn7o6byr-ypJ2fk1wGHr8UvNQnLFjCudklPqJZL2t-h3Uj2QTE1DHGyr_mA1_uXaCSM2qoelhtYAoPQqTvFKp0CpECZ_ICGQLuS38jEiiHwo29_6XO2GE7uQ-ekuthevb5NzFtuKt415n98BSYCzWj432titejCGCpxbBjjDC9EX4jVxyaOg8YzpJApSiZ7_sLvh41fmi3pT5uU1i_rTeoCD8e-HkcmHprE-m1Yn-hn08HD4ExLmkPlRU02ulwUhUAUw7vd3cVybGIyu24G3MpBNPqcf4oVFOPG6V8PjO8fu0RmO_aMOu-YaVxIyFHs6GSPhbS9em471VdgVBx8D6SkUcXBfpc-YK5fTMD_5QUaFxgNez6wfXC8Rx-9v4QW_xuHlyMxaGOodKtPjAYh6I8Bo8wytquHpt92TjNM9FfCa9vyKGKU40fSOYMiqqAifLZfa6z0YDf6CvoG1BqzBlVYjfUE3DVi2sb-m48t_P4LJv0DcSbaHTlYTwOu9XBuU2AxURdOk6FqDyD8"
},
"nonce": "HCLJzAsOCxsbgGJpG07JZg9Wb6pGTkBmwu4B3voyzgpyxXZFHhs",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
}
Payload: {
"contact": [
"mailto:my@address.com"
],
"termsOfServiceAgreed": "True"
}

I signed the header and payload as followed:

$PayloadB64 = ConvertTo-Base64Url (ConvertTo-Json payloadayload -Compress)
$HeaderB64 = ConvertTo-Base64Url (ConvertTo-Json $header -Compress)
$combined = "$($HeaderB64).$($PayloadB64)"
$bytes = [System.Text.Encoding]::ASCII.GetBytes($combined)
$signedBytes = $rsa.SignData($bytes, $HashAlgo, $PaddingType)
$jws = [ordered]@{
payload = $PayloadB64
protected = $HeaderB64
signature = ConvertTo-Base64Url -Bytes $signedBytes
}

Here is the request body:

{"payload":"eyJjb250YWN0IjpbIm1haWx0bzpteUBhZGRyZXNzLmNvbSJdLCJ0ZXJtc09mU2VydmljZUFncmVlZCI6IlRydWUifQ","protected":"eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJvUzU1WEdEZmZ4Z2ZIQU9pUmVESU1nVGpRTGdHb0tJaU1wQUpHQXA1aHh3UXd1Z2dSZnMxZzltN0I4VjliaVpPUUVSeHJjX2g2Q19qZEItMU1DZ0IwWnVaS2VFUHc1ZS1adUxCZ2lMMU02dUJNRWN5SEp2VjlUY3hSZDZpbEloWkVBQkQyQUtFZTk2cjlKeVdNbHF1dkVIbWk5MVdVbjdvNmJ5ci15cEoyZmsxd0dIcjhVdk5RbkxGakN1ZGtsUHFKWkwydC1oM1VqMlFURTFESEd5cl9tQTFfdVhhQ1NNMnFvZWxodFlBb1BRcVR2RktwMENwRUNaX0lDR1FMdVMzOGpFaWlId28yOV82WE8yR0U3dVEtZWt1dGhldmI1TnpGdHVLdDQxNW45OEJTWUN6V2o0MzJ0aXRlakNHQ3B4YkJqakRDOUVYNGpWeHlhT2c4WXpwSkFwU2laN19zTHZoNDFmbWkzcFQ1dVUxaV9yVGVvQ0Q4ZS1Ia2NtSHByRS1tMVluLWhuMDhIRDRFeExta1BsUlUwMnVsd1VoVUFVdzd2ZDNjVnliR0l5dTI0RzNNcEJOUHFjZjRvVkZPUEc2VjhQak84ZnUwUm1PX2FNT3UtWWFWeEl5RkhzNkdTUGhiUzllbTQ3MVZkZ1ZCeDhENlNrVWNYQmZwYy1ZSzVmVE1EXzVRVWFGeGdOZXo2d2ZYQzhSeC05djRRV194dUhseU14YUdPb2RLdFBqQVloNkk4Qm84d3l0cXVIcHQ5MlRqTk05RmZDYTl2eUtHS1U0MGZTT1lNaXFxQWlmTFpmYTZ6MFlEZjZDdm9HMUJxekJsVllqZlVFM0RWaTJzYi1tNDh0X1A0TEp2MERjU2JhSFRsWVR3T3U5WEJ1VTJBeFVSZE9rNkZxRHlEOCJ9LCJub25jZSI6IkhDTEp6QXNPQ3hzYmdHSnBHMDdKWmc5V2I2cEdUa0Jtd3U0QjN2b3l6Z3B5eFhaRkhocyIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ","signature":"AoPsVZ2QTye9QoPH3EVxiuvsndg3uZ_KtNM7g_HZUsRyOKo2Qm2jAOoai48MyPxVx3MM-5Tb4m8MH_eZTB7EBHqLMEeoRShHvmOo_L6kpZkXqZ_nr8J-SQpknyYBvY2W_sqi0CjSXDpTLu0AW8Rj6qsJbTiaIb-Z6psKVffPXGtPEMNQa9rM-Z99uCt9AcJ_Qifzpq-_iL5Bz7XSw7o8Vt9_0amVT5kLJO3CzXTL5ummDv9ScaOzxIEalVWbNWFL9KYALCla6fm6RGrlK_RqYqZnJxeTGvJfH_p1faN8Ec_6QT4mYxo4pMHBk1tBBKt723Z5spDjnCAbV-w5VFduZ3Hnf5o7n8LsJoyScNnTOnzD41YcdC99IMABK2ELRwvsgmbQoG7BZoIPrXocQy2dImuZDEDLzjupdS9a90OmVuWkNXyCpOZoAS6nhppOTlt-IC0llvOUfc6zk8wbrVlY2yA8pH-DFnPtC76_SSw35rKwtg_ySNS09WkD7ntBxyp3U_nW4TVYsVJWtiFCpVoGhZ7xcHXuadmwhJhqNXUPacO9DEVQRo0h6xytuH0snTS9IzaTSgB_6zqa9Id0eeMV2Af_V2u4zomi8h4ZVwtQIqSpq8S0NDV6PioUDl5EwpWqQ3Ig__EyvXRusF6Ryad0PE7i36hf8K8qlPZSC1FKRxY"}

Thats my request

Invoke-WebRequest -Method POST -ContentType "application/jose+json" -Body (ConvertTo-Json $jws -Compress) -Uri $newAccountAPI

I tested the jws on https://jwt.io/ and it says that my signature is valid.
Any idea which part of the body is actually wrong formatted?
Thanks for your help.

1 Like

The termsOfServiceAgreed field is a boolean, not a string, so this value should be true rather than "True".

That said, there already exists a powershell ACME client, have you considered using that instead of reimplementing from scratch?

8 Likes

Thank you very much, that solved the issue :slight_smile: I want to better understand how acme works, so i decided to write a test script. For production use I will use one of the existing certbots.

1 Like

I hope you mean to use one of the existing Windows ACME clients.
certbot for Windows is no longer being supported.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.