New-authz 403 response

I’m currently implementing an ACME client using draft-ietf-acme-acme-07 + boulder acme-divergences. Account handling works as expected. However, when trying to e.g. {"identifier":{"type":"dns","value":""},"resource":"new-authz"} I get always a 403 response (The requested operation is currently forbidden. Must agree to subscriber agreement before any further actions.).

Did I miss something? The account status is valid and account updates/creation contain the "terms-of-service-agreed":true property. So not sure, what else is needed.

Any hints?

1 Like

Hi @jelmd,

Boulder (in the V1 API) does not implement the terms-of-service-agreed field for account creation. Boulder implements the draft-03 method of verifying the client has agreed to the terms of service using the agreement field:

agreement (optional, string): A URI referring to a subscriber
agreement or terms of service provided by the server (see below).
Including this field indicates the client's agreement with the
referenced terms.

It's a lot messier than in draft-04+ where you can just send the terms-of-service-agreed field. We'll be adopting that method of ToS verification for the upcoming v2 api.

Hope that helps! Apologies for the mess - I know its tough to code to a standard that is in flux when the primary server-side implementation has also been in flux alongside the standard :slight_smile:

1 Like

Ahh, that’s it. Wasn’t clear to me, that one has to submit it on account create/update. Thought this field was just used in the status message generated by the server. Anyway, works now and I can continue … :slight_smile:

Thanx a lot,

1 Like

Excellent! I'm glad to hear it :slight_smile:

You've spiked my curiosity: Can you talk about the ACME client you're working on? Is it open source?

Take care,

Yes, it is ksh93 + wget|curl based. Plan is to put it on github or bitbucket, when it is finished.

Have fun,

1 Like

Neat. Definitely submit a PR to our website's list of client implementations when you're finished!

Take care,

OK, I’ll do (hope before x-mas) :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.