Trying to do POST-as-GET but getting "POST JWS not signed"

Help
1

GET requests on ACME v2 API has no longer supported so I am doing tests on your staging environment.
I changed my client’s request to POST. Request URL is the same as before.
I am posting JWS that has empty “payload” but I am getting “POST JWS not signed”.
How can I make signed JWS to POST to your API?
Please show me an example.

My domain is:
lab30-test.jp

I ran this command:
POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/[ID]

It produced this output:
{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “POST JWS not signed”,
“status”: 400
}

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

1 Like
2

There is an example of POST-as-GET in the spec itself: https://tools.ietf.org/html/rfc8555#page-54

As you can see, the payload is an empty string (""), but it is otherwise like any other JWS POST request to the ACME server.

If you want examples of how to sign a JWS object, look to the source code of any ACME v2 client in the language of your choice.

2 Likes
3

Thank you.
I understand the payload field can be empty.
But how am I supposed to get the other stuff like
“alg”, “kid”, “nonce”, “url” and “signature”?
Where do I generate them?

1 Like
4

They are all part of JWS, which is the scheme used for authentication in ACME - https://tools.ietf.org/html/rfc8555#section-6.2 .

If you are unfamiliar with it, it may be easier to start with an existing ACME library to do your tests.

1 Like
5

No, I am already working with a working ACME client.
But I am fixing the part that used to use GET.
The script that I am working on has nothing to do with JWS because it used to just do GET.
You are saying it won’t be too hard to change GET to POST-as-GET but this is so much work!

1 Like
6

If you have already implemented a working ACME client, it means you have already implemented signed JWS POST.

It is a very small step to go from POST to POST-as-GET. You just change payload to be blank.

But if your ACME client does not have the ability to do signed JWS POST yet (for example, to create a new order), then yes, it is a lot of work.

1 Like
7

Yes, my ACME client program is creating new order just before doing authz…
order creation does have JWS generation and POST request.
I can just copy those steps to do authz, right?

1 Like
8

Yes, you can just copy the JWS generation, and blank the payload. That’s all you need to do.

3 Likes
9

Look at https://github.com/bruncsak/ght-acme.sh/blob/master/letsencrypt.sh . If you search for the use of send_req function, sometimes the second argument is "". That is a POST-as-GET use.

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.