That will totally be it, yes.
And it explains what I'm seeing in the Go where it's failing because it can't decode that.
I just thought that was what it was supposed to do!
Thanks.
1 Like
Yep! I am not sure why I thought one needed the compact form in the sig header... probably looking at too many specs at the same time!
But:
Pebble 2025/11/30 08:51:00 ACME directory available at: https://0.0.0.0:14000/dir
Pebble 2025/11/30 08:51:10 GET /dir -> calling handler()
Pebble 2025/11/30 08:51:10 HEAD /nonce-plz -> calling handler()
Pebble 2025/11/30 08:51:10 POST /sign-me-up -> calling handler()
Pebble 2025/11/30 08:51:10 There are now 1 accounts in memory
thanks everyone for being patient and to @Nummer378 for taking a detailed look at the output to note the signature formatting issue.
For absolute clarity at the end of this thread, an example of my new-account request is now:
{"protected": "eyJ1cmwiOiAiaHR0cHM6Ly9sb2NhbGhvc3Q6MTQwMDAvc2lnbi1tZS11cCIsICJhbGciOiAiRVMzODQiLCAibm9uY2UiOiAiSkM5eGdPRl9YQm9qSkZsUFNpMldSdyIsICJqd2siOiB7ImNydiI6ICJQLTM4NCIsICJleHQiOiB0cnVlLCAia2V5X29wcyI6IFsidmVyaWZ5Il0sICJrdHkiOiAiRUMiLCAieCI6ICJXQzk2LXAyQ0kwdWk5QTVrSG5IZ3FIdnZ5RDl1a3ZVckFZV3I0eEFIS2UzeGhhRllpRFhnR1ViTThPRkotM0NTIiwgInkiOiAiaUZORksyYmx4NzA0MVp3UHd6RjNSZzlXY3BQeGFHcnh4REppT3U2T1BGMXZ0dVBwVWtTc1U1TzlHWGl0RzZMWCJ9fQ", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86bmljQGZlcnJpZXIubWUudWsiXSwgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZX0", "signature": "Hm-ag-mZr2qKH6RUrYWWTqEcF-GnMLnOsNMDOMDiMTAqrLP99PbiZp9eWAxJFvf0vbRhawP-Uvi-MjCilvIp_CZkgD80TTjIyZ60EsSg8Ylhpa43l1y9rPuffUlxq4IC"}
There were no base64url issues - except the base64url decoder could not decode the value I thought you had to put into the signature header. It JUST wants a signature.
thanks.
1 Like
The ONE thing I would recommend as a change to Pebble here would be the error message when one gets this wrong.
{"type": "urn:ietf:params:acme:error:malformed", "detail": "Parse error reading JWS: illegal base64 data at input byte 422", "status": 400}
I spent some time looking in my JSON for byte 422. But of course, it meant byte 422 of the value of the signature field which would have led me right to the issue because it's the byte before the ".".
Pebble COULD change to report which field of base64url it is decoding and that would help.
Seems like maybe this thread will be enough though.
1 Like
If you could file that as an issue on the Pebble GitHub repo, I think that likely sounds like it should be easy enough to make better.
3 Likes
I agree that existing clients are far from perfect.
However, in case you want to focus on the certificate management parts rather than implementing an ACME client from scratch, then I can warmly recommend you to have a look at Matt Holt’s acmez library, written in Go. In my experience, it’s both stable and pleasant to work with.
2 Likes
In case it helps, given you seem to building in JavaScript, the code in Auto Encrypt is pretty straightforward and might help:
Also see the tests:
(Auto Encrypt only implements HTTP-01.)
Best of luck! 