Help creating new account/JWS errors


#1

Can you show me working example? I try to call https://acme-staging-v02.api.letsencrypt.org/acme/new-acct with
request like this
{“protected”:“eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6ImE3VWpEb1lrUi03OG56VzdWcjh6T3BqRHI1SGF2cEtJbW1waGtfM1NvdnciLCJ5IjoiWlZqRnlLSnRvR3lIaWxZdDRtYVBXX1doYWNDdERpSGx2N1JUNTJhdUJnZyJ9LCJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsIm5vbmNlIjoiMldySU1OSjlIUDk4OUxNbnItRkpoNnBNRVE3aXNLODF4UEJLRTZkMy1NZyIsInR5cCI6IkpXUyJ9”,“payload”:“eyJjb250YWN0IjpbIm1haWx0bzpzcGVndWxvQG1haWwucnUiXSwidGVybXNPZlNlcnZpY2VBZ3JlZWQiOnRydWUsInJlc291cmNlIjoibmV3QWNjb3VudCIsImlhdCI6IjE1NDc0NTUwOTkifQ”,“signature”:“MEUCIDa5GvDp5L04IRdeUuXZE4v3gkNLjT0OJtL3WAHMgdP1AiEA0PxjZ2U0ZAOULOcSQLOQGr0mP8828nM6REGuHMvMm2M”}

which signed byDERtoECDSA decoding, but always have
{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “JWS verification error”,
“status”: 400
}


How to create new account with ECDSA key
#2

Your JWS has a few errors in it (like wrong url and a number of useless fields, some of which look like they came from an ACME v1 client).

Perhaps you can either post your code if you need help, or take a look at acmephp, which is a “complete” working PHP example for ACME v2.

You sure? The signature in your JWS is 71 bytes:

$decoded = base64_decode("MEUCIDa5GvDp5L04IRdeUuXZE4v3gkNLjT0OJtL3WAHMgdP1AiEA0PxjZ2U0ZAOULOcSQLOQGr0mP8828nM6REGuHMvMm2M");
echo strlen($decoded), PHP_EOL; // 71

$unpacked = DERtoECDSA($decoded, 64);
echo strlen($unpacked), PHP_EOL; // 64

#3

Ok, can you say what url is correct and what fields are useless?


#4

I don’t have it in front of me anymore, but I believe:

  • The url was pointing to the production domain (but you said it’s for acme-staging-v02). This would cause the request to fail.
  • The resource field was present in the protected header, but this doesn’t exist in ACME v2 (it’s from ACME v1). I’m not sure whether this would be a fatal error.
  • iat in payload (but this is probably not fatal).
  • typ in protected header (but this is probably not fatal)

#5

Staging server uses for debug, on production server I have same problem.
Regarding the remaining items - I’l try your recomendations, thanks a lot.


#6

Your current “JWS verification error” is caused by the 71-byte signature, but once you get past that, the error message should change - so you’ll know you’re making progress.


#7

I released PHP ACME client , it supports P-256 and P-384 ECDSA keys.

I implemented code to subtract unnecessary value
from ASN.1 objects generated by openssl_sign in DER format.

Unnecessary value means ASN.1 object’s TAG field, VALUE LENGTH field, and the others.

Please check the link below for more details of ASN.1.

And the following code may be helpful.

Thanks.