JWS verification error New Order (v 2.0)

Client dev
1

I make request of the Create Order: https://acme-staging-v02.api.letsencrypt.org/acme/new-order
In the RFC 8555 example of the Create Order is:
{
“protected”: base64url({
“alg”: “ES256”,
“kid”: “https://example.com/acme/acct/evOfKhNU60wg”,
“nonce”: “5XJ1L3lEkMG7tR6pA00clA”,
“url”: “https://example.com/acme/new-order
}),
“payload”: base64url({
“identifiers”: [{ “type”: “dns”, “value”: “www.example.org” }],
}),
“signature”: “H6ZXtGjTZyUnPeKn…wEA4TklBdh3e454g”
}

I use data:
nonce” data from pred request header Replay-Nonce
kid” data from pred request header Location
url”: the current request: url https://acme-staging-v02.api.letsencrypt.org/acme/new-order

The payload data is my hostname.

What is wrong?

The my request data is:
{“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjU4MzE1MyIsICJub25jZSI6ICIwMDAyMkJ6NUdWTkg5ZmRtVE1RaGhCbWhmUkloTy1fcXdGT2VfakM5QmRTTHQ3byIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ”, “payload”: “eyJpZGVudGlmaWVycyI6IFt7InZhbHVlIjogImZpNDY5Lmhtbi5tZSIsICJ0eXBlIjogImRucyJ9XX0”, “signature”: “Gwdw1h0Cln0Rrg7xKz1WcJdiwbrrnY3vt3FwOaPyYh4s97EoxhcET44tQcjd4tqw7TZcfOCWGYTKEsDe3hkaOjH8m10movwugnqetqCR3cEy_gMm02fJ_tiWYe0m55foaOqsZhLq-eIOpwVcV2_q1c5cBzwwQfbpdC0CPq-_b_yAyVTS1ToYgYrYV9KHJNen2mo4PxDwgFVl-XeBCoxLJpSSojc2PVYkMQvJTdGTSYC9MtsQlsnQpIgN-onUR-XYt9STl2zqfCopCtfIO3cpL_f35solEgfwmg4WQJ99wNZNFNi-yvsAHoxsZtu24BMRNFlljzu0-PLOZs7J5p2mFLsmJ57cdX_anb06aDM1k9Y19S_gecqE77nm2LqNL4aLKlHstRSkwgBKT0ItRScbCfrC2eDRcbg0oTiwB9Auv_K3dOR1U3Kkcm5CP7dgH2PsX16YE0O8Okjeg5IRXa3caOr-dxfWcvBjiSzzCWLK1emGargDTMMOqApb1Pijxys9KVvp9tas1IUsHjowqMeu9Fu_JNZXj20TGaWn9iwD2n88fiRL76x2FP879YgjT1B8JPvaryhIijQRJq1I_6QtsNI8_LkVfukrhh-Z0D8TNdSmihhpnaDryPlXuHfsKRsLH6zj9ch0efn1P26ulasIM1V0ueFWGbZ-EcbBJMjZKMU”}’

What is wrong?

2

Hi @akalend,

Can you provide the client, client version, and your domain so we can better assist you?

3

Hi @akalend

what's the error message?

Checking your content:

{"alg": "RS256", "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/12583153", "nonce": "00022Bz5GVNH9fdmTMQhhBmhfRIhO-_qwFOe_jC9BdSLt7o", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"}

There are some white spaces. My own code -> no white spaces.

{"identifiers": [{"value": "fi469.hmn.me", "type": "dns"}]}

That's not an alphabetical order. If you use the same JSON to compute the signature -> the signature is wrong.

4

Thanks JuergenAuer,
Tomorrow I will tests

5

Test is False

My json is sorted by key:
{
“payload”: base64({“identifiers”: [{“type”: “dns”, “value”: “fi469.hmn.me”}]})",
“signature”: “eyJpZGVudGlmaWVy … OX”,
“protected”: base64( {
“alg”: “RS256”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
“nonce”: “0001ow0VJSvNOg5VyMtTcaBe2OF052ytcEJZX49_-422T8U”,
“kid”: “https://acme-staging-v02.api.letsencrypt.org/acme/acct/12583153
})
}

The signing by openssl:
echo ‘$protected.$payload’ > openssl dgst -sha256 -sign key_file

6

The ending apostrophe on your request data is really there, or is it just a cut&paste error into this issue? What the ACME server returned for that request?

7

It is cut&paste error. The JSON formed by python from dict.
I have error from data structure or I have fail in the sign

8

That should rather be:
echo "$protected.$payload" > openssl dgst -sha256 -sign key_file

9

Thanks,

The fix is Ok.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.