New ABAP ACME Client - NewAccount POST Content-Type not fitting

Hello Community,

I am trying to write a new client for SAP Systems in ABAP.
I am quite new to communicating via http, especially when it comes to signed JSON strings.

My problem occurs when I try to send the http post method for creating a new account.

The Response is:"Unsupported Media Type"

"{# "type": "urn:ietf:params:acme:error:malformed",
'# "detail": "Invalid Content-Type header on POST. Content-Type must be "application/jose+json"",
'# "status": 415#}"

I already set the http Content-Type header field to 'application/jose+json'.

So there may be a Problem with how I formatted that json string.

Sadly I can't really figure out how it should exactly look like.

The Documentation says it has to be a flattened json serialisation which should look like:




"header": { "kid": "myKey"},

"signature": "b7V--EXAMPLE--2UpDPytr-kMnM_YjiQ3E0J2ucOI9LYA7mt57vc"


which is an base64url encoding of:
















@signature: Here I am not quite sure which exact data to throw into my function module for signing.

Please point out if I am doing something completely wrong.

I would really like if someone could give me some advices or even an example what exactly has to be sent.

Although is there good option to check whether the jose I have created is consistent or not?

Thank you so far :slight_smile:

This error message is quite precise in its meaning. It's not a JWS problem, it's really a problem with the request header.

If you have some way to dump the request headers in your client, that should reveal what you're actually sending in that request header.

This shouldn't be here. RFC8555 says:

o The JWS Unprotected Header [RFC7515] MUST NOT be used

If kid is relevant, it goes into the Protected Header.

Do you have a JWS library? I highly recommend using one if you are not familiar with JOSE, as there are quite a few pitfalls.

It's a bit of a pain, but in the past I have used JSON Web Tokens - It's a pain because you have to convert from Flattened to Compact serialization, but otherwise it can help uncover basic serialization and signature problems.

Hi _az,
thank you for your reply.

Unprotected Header is out now. (was just in for a few desperate tries) .

The class which is sending the http request sais just before sending that the data of the header field "Content-Type" really is set to 'application/jose+json'.
I even tried setting it in the protected section by "cty":"application/jose+json"
Still the same problem.

best regards,

As _az mentioned, this error does not belong to the body part of the http request (containing the JWS). It is definitively the Content-Type header value which is incorrect. If you look at the source code you can see that the error message Invalid Content-Type header on POST. Content-Type must be... is only emitted if the Content-Type header does not match the string application/jose+json


Slightly off topic but any ACME tools that accepts a custom CSR and outputs a full chain in pem format will work for SAP, including - I added custom CSR support for that specifically to support SAP. I'm pretty sure certbot supports that as well.

The only reason I'm suggesting those is that implementing your own client is a long process if you then want to support all the different validation methods etc. If you're selling a solution then it could be worthwhile, but otherwise I'd avoid rolling your own :slight_smile:

I tried to run my post request against an external tracking site.
So it seems like it really is sending Content-Type: application/jose+json; charset=utf-8
Which is bad because I cannot unset this.
In Boulder code I can see it wants the exact string "application/jose+json" so my request is denied as unsupported media type.
Seems to be an SAP Problem.

SAP Note: 2456232 - Cannot send HTTP Content-Type header without charset value.
There is a fix. Have to update the SAP REST adapter.. and I don't know how because I dont know how to get those .sca files in my abap stack system.
But this is an SAP related Problem.

Thank you so far!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.