Invalid status value on authz-v3 Post-As-Get - Error 400

Hi Guys,

I’m getting a 400 “Invalid status value” when I try to make a Post-as-Get request to Authz-v3. Im attempting to get the Auth so that I can acquire the auth details.

I can confirm the signing of the request is ok, and the Post-As-Get payload is an empty ({}) payload. This appears to suggest I should send in some kind of Auth object but thats not what the spec appears to suggest???

“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Invalid status value”,
“status”: 400

---- Update ----

I worked out the problem. When I was reading the ACME docs I got muddled up and was (in the case above) sending {} as the payload, however this is not correct. To get the Auth’s you are required to send in an empty payload “” - You only send the {} payload during the challenge initiation to let the server know its OK to attempt to validate the Auth…

Hopefull this helps anyone else who made the same mistake while reading the ACME spec!

6.3. GET and POST-as-GET Requests

If a client wishes to fetch a resource from the server (which would
otherwise be done with a GET), then it MUST send a POST request with
a JWS body as described above, where the payload of the JWS is a
zero-length octet string. In other words, the “payload” field of the
JWS object MUST be present and set to the empty string ("").

7.5.1. Responding to Challenges

To prove control of the identifier and receive authorization, the
client needs to provision the required challenge response based on
the challenge type and indicate to the server that it is ready for
the challenge validation to be attempted.

Barnes, et al. Standards Track [Page 54]

RFC 8555 ACME March 2019

The client indicates to the server that it is ready for the challenge
validation by sending an empty JSON body ("{}") carried in a POST
request to the challenge URL (not the authorization URL).

1 Like

Hi @cadey,

Yup, exactly! In this case we should probably consider a better error message in Boulder. I think the “invalid status value” is because the request payload is being interpreted as an attempt to de-activate the authorization. For that case it might make more sense to return an error suggesting a POST-as-GET.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.