Trying to do POST-as-GET but getting "POST JWS not signed"

lab30 · December 11, 2019, 6:35am

GET requests on ACME v2 API has no longer supported so I am doing tests on your staging environment.
I changed my client’s request to POST. Request URL is the same as before.
I am posting JWS that has empty “payload” but I am getting “POST JWS not signed”.
How can I make signed JWS to POST to your API?
Please show me an example.

My domain is:
lab30-test.jp

I ran this command:
POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/[ID]

It produced this output:
{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “POST JWS not signed”,
“status”: 400
}

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

_az · December 11, 2019, 6:39am

There is an example of POST-as-GET in the spec itself: https://tools.ietf.org/html/rfc8555#page-54

As you can see, the payload is an empty string (""), but it is otherwise like any other JWS POST request to the ACME server.

If you want examples of how to sign a JWS object, look to the source code of any ACME v2 client in the language of your choice.

lab30 · December 11, 2019, 6:54am

Thank you.
I understand the payload field can be empty.
But how am I supposed to get the other stuff like
“alg”, “kid”, “nonce”, “url” and “signature”?
Where do I generate them?

_az · December 11, 2019, 6:58am

They are all part of JWS, which is the scheme used for authentication in ACME - https://tools.ietf.org/html/rfc8555#section-6.2 .

If you are unfamiliar with it, it may be easier to start with an existing ACME library to do your tests.

lab30 · December 11, 2019, 7:07am

No, I am already working with a working ACME client.
But I am fixing the part that used to use GET.
The script that I am working on has nothing to do with JWS because it used to just do GET.
You are saying it won’t be too hard to change GET to POST-as-GET but this is so much work!

_az · December 11, 2019, 7:09am

If you have already implemented a working ACME client, it means you have already implemented signed JWS POST.

It is a very small step to go from POST to POST-as-GET. You just change payload to be blank.

But if your ACME client does not have the ability to do signed JWS POST yet (for example, to create a new order), then yes, it is a lot of work.

lab30 · December 11, 2019, 7:13am

Yes, my ACME client program is creating new order just before doing authz…
order creation does have JWS generation and POST request.
I can just copy those steps to do authz, right?

_az · December 11, 2019, 7:13am

Yes, you can just copy the JWS generation, and blank the payload. That’s all you need to do.

bruncsak · December 11, 2019, 8:44am

Look at https://github.com/bruncsak/ght-acme.sh/blob/master/letsencrypt.sh . If you search for the use of send_req function, sometimes the second argument is "". That is a POST-as-GET use.

system · January 10, 2020, 8:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.