Finalizing order: algorithm not supported?

Everything works like a charm.... until I get to the point to finalize:-)

  • base64url encoded csr (see completely below), validates totally ok.
  • error from letsencrypt: algo (RS256) not supported
  • deliberate used ES256, got a reminder: "Hey Peter, ES256? Whats that? Was expecting RS256":slight_smile:
  • But but but... RS256 you say you don't know........

All info below. Anyone who can shed some light on my last 2 brain cells?

Peter

PS. @letsencrypt: completely different, but in some cases the url to retrieve a challenge is returned from your servers as /acme/challenge/ which subsequently gives an error, since it has to be /acme/chall-v3/... Just a friendly reminder!

---------------- communication --------------------

POST /acme/finalize/18069308/239322012 HTTP/1.1
Content-Type: application/jose+json
Content-Length: 2064
Host: acme-staging-v02.api.letsencrypt.org
Accept: /
Accept-Charset: ISO-8859-1,utf-8
Accept-Language: en-US
Connection: close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip

{"protected":"eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzOlwvXC9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmdcL2FjbWVcL2FjY3RcLzE4MDY5MzA4Iiwibm9uY2UiOiIwMDAzY0gxanJtOXNMTVJjVi1uTkxjT090LVlMbHlhTlBIMm52bjZiMlF0YUVXayIsInVybCI6Imh0dHBzOlwvXC9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmdcL2FjbWVcL2ZpbmFsaXplXC8xODA2OTMwOFwvMjM5MzIyMDEyIn0","payload":"eyJjc3IiOiJNSUlDN2pDQ0FkWUNBUUF3TmpFVU1CSUdBMVVFQXd3TGNIVnJjR3gxY3k1amIyMHhIakFjQmdrcWhraUc5dzBCQ1FFV0QzTnpiRUJ3ZFd0d2JIVnpMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTENTTktYQVhWYUNUVXZISWVvTEppU2ZsWm5yWHp3VWIzSGJSZnFod1lXSy00R1hwQjhvLUVXT214eVBOSDdFTFJhRWdwMEZEVFZLSklHTmNvLUtfX1FkX2NQUlB2emFoSlFheV9CS0xoRmtxcmRFaXZGWVExaE0zVGRoSXNpaklCYU54U2xaMkRiUzVkeDEyM0tkWjJ2bVU0UHBZaDhuZXpmaXpiUlo2bnhsMmhCRlVGMUhiSFNuZ0R5UGV5S1FlRW5aNS1lVFFUcVFyazJEY0F0SUVBUGkwLTZCTlFpUEtnSE1rczlfVXIzNWZBbWY3dm1WRHZXdEF2YXFOUnk5aDJzMFVTOUdqZlZPMl9Ea003THZHYXhYTFlFRHYxMjQ4WWpuNWR4VVFSb19JcE5LX1YzLXg4UzRFN3A4YjBqU01HQnlxME9MdVNIcGlERlZnMktEZkpNQ0F3RUFBYUJ6TUhFR0NTcUdTSWIzRFFFSkRqRmtNR0l3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0lHQ0NzR0FRVUZCd01CTUNrR0ExVWRFUVFpTUNDQ0QzZDNkeTV3ZFd0d2JIVnpMbU52YllJTktpNXdkV3R3YkhWekxtTnZiVEFOQmdrcWhraUc5dzBCQVFRRkFBT0NBUUVBS2ZzUHBKdXl2bzhPQjdMOEh1OTFtemxSYXhBX2R1XzBSWVdwb0x4dUhFaHJzaHBDMFhlN05rcUtUTFZpRm4xUzI2V1M5WWgzRUk0Q1hPNlNabFYwNW9ZNU41SjQzWmtOdUFaZXY2N0hNOVFtMi1FVnRCZ3p4MGhzc1RJdkRid2pXLUJGTGZYblNFZGNhWVd0bXNfY3JPWWMxX3k0QkJZY3hZME5oZ3dRTEstNlQzQlFtZzczZ2RNZUpDdXdMYTVNcGVoQmdoV01xR3RUc01jS0dvam42U3FuaGZKb2E4Q0hfWGhOOVMteDJISUpqQnZVRW1kWEFLTVVIUDNvZ002VkRsUVE0RGpMRnRzXzkzOWlqR2VQY25yQklLb2g2RlJCcUpHa0ozOGJacExhanNYY3pKVERHVm5OMm56eXdST29NNDl5bGJEQnZETF9mMjlSV3lhYjlnIn0","signature":"CJVtCbP53dwe5Vx9q0Ymj9Vf42D80DeoOWynCjzSeMLdXyu-KEASbkuFWPbfIJZcOdnviMGBej-HPjvHhJWYwZG4BQdotc4t8u6wxSYvGsX3Yz5l6FGTJlZx4LIwHY85d_vjC34N1S9MFazli447ZvntFYDB1T4S3Km9Mb7qQrfrERUaf9uowwijO6ns-Jk9toOLxQJTIfj9ZAl1oAerkdOfTEU9N3rjelwcJkIGd-vtAQSPn-wVzflKTPx-PhuKA5dffDvA1o_K6IT1UVSPX_x8lvveXW77P-vJE5-YTWKyPk1eJeb94iL85o7tCUliYUqpg4yu6GvDX1pfIm9pgA"}

---------------- normalized --------------------

payload = Array
(
[csr] => MIIC7jCCAdYCAQAwNjEUMBIGA1UEAwwLcHVrcGx1cy5jb20xHjAcBgkqhkiG9w0BCQEWD3NzbEBwdWtwbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCSNKXAXVaCTUvHIeoLJiSflZnrXzwUb3HbRfqhwYWK-4GXpB8o-EWOmxyPNH7ELRaEgp0FDTVKJIGNco-K__Qd_cPRPvzahJQay_BKLhFkqrdEivFYQ1hM3TdhIsijIBaNxSlZ2DbS5dx123KdZ2vmU4PpYh8nezfizbRZ6nxl2hBFUF1HbHSngDyPeyKQeEnZ5-eTQTqQrk2DcAtIEAPi0-6BNQiPKgHMks9_Ur35fAmf7vmVDvWtAvaqNRy9h2s0US9GjfVO2_DkM7LvGaxXLYEDv1248Yjn5dxUQRo_IpNK_V3-x8S4E7p8b0jSMGByq0OLuSHpiDFVg2KDfJMCAwEAAaBzMHEGCSqGSIb3DQEJDjFkMGIwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCkGA1UdEQQiMCCCD3d3dy5wdWtwbHVzLmNvbYINKi5wdWtwbHVzLmNvbTANBgkqhkiG9w0BAQQFAAOCAQEAKfsPpJuyvo8OB7L8Hu91mzlRaxA_du_0RYWpoLxuHEhrshpC0Xe7NkqKTLViFn1S26WS9Yh3EI4CXO6SZlV05oY5N5J43ZkNuAZev67HM9Qm2-EVtBgzx0hssTIvDbwjW-BFLfXnSEdcaYWtms_crOYc1_y4BBYcxY0NhgwQLK-6T3BQmg73gdMeJCuwLa5MpehBghWMqGtTsMcKGojn6SqnhfJoa8CH_XhN9S-x2HIJjBvUEmdXAKMUHP3ogM6VDlQQ4DjLFts_939ijGePcnrBIKoh6FRBqJGkJ38bZpLajsXczJTDGVnN2nzywROoM49ylbDBvDL_f29RWyab9g
)

protected = Array
(
[alg] => RS256
[kid] => https://acme-staging-v02.api.letsencrypt.org/acme/acct/18069308
[nonce] => 0003cH1jrm9sLMRcV-nNLcOOt-YLlyaNPH2nvn6b2QtaEWk
[url] => https://acme-staging-v02.api.letsencrypt.org/acme/finalize/18069308/239322012
)

signature = 342 octets -> CJVtCbP53dwe5Vx9q0Ymj9Vf42D80DeoOWynCjzSeMLdXyu-KEASbkuFWPbfIJZcOdnviMGBej-HPjvHhJWYwZG4BQdotc4t8u6wxSYvGsX3Yz5l6FGTJlZx4LIwHY85d_vjC34N1S9MFazli447ZvntFYDB1T4S3Km9Mb7qQrfrERUaf9uowwijO6ns-Jk9toOLxQJTIfj9ZAl1oAerkdOfTEU9N3rjelwcJkIGd-vtAQSPn-wVzflKTPx-PhuKA5dffDvA1o_K6IT1UVSPX_x8lvveXW77P-vJE5-YTWKyPk1eJeb94iL85o7tCUliYUqpg4yu6GvDX1pfIm9pgA

-------------------------- SERVER RESPONSE -------------------------------

Array
(
[status] => 400
[headers] => Array
(
[server] => nginx
[date] => Sat, 13 Feb 2021 03:07:42 GMT
[content-type] => application/problem+json
[content-length] => 141
[connection] => close
[boulder-requester] => 18069308
[cache-control] => public, max-age=0, no-cache
[link] => https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
[replay-nonce] => 0003TylqzuBwnOu1Au-D88JFIY0bdLDODHgcsVM1CnGoLaI
)

[body] => {

"type": "urn:ietf:params:acme:error:badCSR",
"detail": "Error finalizing order :: signature algorithm not supported",
"status": 400
}
)

-----BEGIN CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwNjEUMBIGA1UEAwwLcHVrcGx1cy5jb20xHjAcBgkqhkiG9w0B
CQEWD3NzbEBwdWtwbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAOzwZIGywKkDJl5MEtsuOFYCqut79Ue3OO75XXpHMhBeiipVPAP2YvkbOyFs
QUvfq7+SofApydtYz5cV1EPqS7w9xUm5dd7VBXUg5sK/UOFK7k68oNyq/yPdk/1z
j4tmcYtNjiTRxI12LMfbBhg7YeyV8gCDMMqdz9tttz0rKXY+01eYkq8F3Q7bFFnT
rg/5ChOWzzKTBgatzSQ0CvAQFE3qcWgJhjlSYFLhLfDQd+pLz+0j5MnBf+vFD/5b
lYPbYVZJUj3ExEyRmX2Lzjn4hBTQHaBCuujsCwtjgUekWmcymj18c1mYLIlPRLBG
z+Bc4BjYRTdDjCI8uhDVOhEoxl8CAwEAAaBzMHEGCSqGSIb3DQEJDjFkMGIwCQYD
VR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMBMCkGA1UdEQQiMCCCD3d3dy5wdWtwbHVzLmNvbYINKi5wdWtwbHVzLmNvbTAN
BgkqhkiG9w0BAQQFAAOCAQEAzwROOL8odC3/6MVYVE8x1t19ucPy++hQZJ0BAlkZ
pPsX52R3ZGkMHhean03iiVbFS5+vCwp0MB5xe2QZoOC1SA/BNeO9UDqczkPI9rZN
ECO1FNEI5xGJYuQBID1RSXcJsKtQ6wjLhyl17bfq7Q5vj93DhrVxfaNe+hJMIXjQ
QrF+QMStmW6TwFXFCvp3APgSHAvQlxjgm4km+C381g729xWTkwM3QD+RH/ARieO8
cD4uEeKRGNEk8b+LANeFMp2bFtkISpu6TnrUS/WvmBcLEsxNcDxhxsx7vjJ43kLI
A0ur7WcnGzjQW7+5r79Be67KUCrcdu2hUkhMVjUWGm9Qdw==
-----END CERTIFICATE REQUEST-----

1 Like

Let's Encrypt doesn't accept CSRs using the MD5 signature algorithm.

For RSA, your choices are SHA1, SHA256, SHA384 and SHA512.

5 Likes

Ok, thank you, but how does my payload look then?

2 Likes

Your JWS looks good. The RS256 signature is correct and the payload is correctly encoded.

The problem is with the generation of the CSR itself, specifically the signature algorithm contained within the CSR. Entirely unrelated to the JWS bits.

4 Likes

I love you, but that doesn’t help a lot;-)

1 Like

Ahhhh, csr, not md5, sha, CLEAR!

THANK YOU!!!

2 Likes