What is the right uri format for new account-uri param?


#1

Hi,

Regarding the new account-uri implementation for CAA records ACME-CAA “validation-methods” support I don’t know what is the right uri we should use to validate our account.

If we check our reg file: /etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/regr.json

We will see an uri field for our account, something like this:

"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/abcdefg"

So I created a CAA record

0 issue "letsencrypt.org\; account-uri=https://acme-staging-v02.api.letsencrypt.org/acme/acct/abcdefg"

and tried it but I got this error:

Failed authorization procedure. sub.domain.tld (dns-01): urn:ietf:params:acme:error:caa :: CAA record for sub.domain.tld prevents issuance

If we check boulder code for accountURIPrefixes https://github.com/letsencrypt/boulder/search?q=accountURIPrefixes&unscoped_q=accountURIPrefixes we see a couple of examples for uri prefixes:

http://boulder:4000/acme/reg/
https://letsencrypt.org/acct/reg/

So I tried:

https://acme-staging-v02.api.letsencrypt.org/acme/acct/abcdefg
https://acme-staging-v02.api.letsencrypt.org/acct/reg/abcdefg
https://letsencrypt.org/acct/reg/abcdefg

But the only one that works is:

https://acme-staging-v02.api.letsencrypt.org/acme/reg/abcdefg

0 issue "letsencrypt.org\; account-uri=https://acme-staging-v02.api.letsencrypt.org/acme/reg/abcdefg"

And that is the format for uri in api version 01 (acme/reg) instead of the format in new api version 02 (acme/acct) so for me it is a bit confuse :wink: .

My questions:

1.- Is https://acme-staging-v02.api.letsencrypt.org/acme/reg/abcdefg the right uri to use in account-uri param (I suppose it is because it works :stuck_out_tongue: but…)?.

2.- Would this change in a future to https://acme-staging-v02.api.letsencrypt.org/acme/acct/abcdefg"?

Thank you in advance.

Cheers,
sahsanu


#2

As far as I can see from va/caa.go and va/va.go, the accepted prefixes are a specific setting in Boulders configuration.

Perhaps this configuration hasn’t been updated when the v2 API was enabled?


#3

Thanks for pointing this out, @sahsanu. It looks like you found a misconfiguration in our staging environment. For our ACMEv1 endpoint, account URLs start with /acme/reg/. For ACMEv2, we used /acme/acct/ to match the updated draft language calling accounts “accounts” instead of “registrations.” However, when adding the accepted prefixes, we used .../acme/reg/ for both v1 and v2. I’ll get it fixed. Thanks for the catch!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.