Comments (2)
Also seeing this with pebble (the kid issue):
Key ID (kid) in JWS header missing expected URL prefix
Edit: in my case using the latest dehydrated script fixed things.
from lua-resty-auto-ssl.
A bit more detail:
The server creates an account and stores the public key used to
verify the JWS (i.e., the "jwk" element of the JWS header) to
authenticate future requests from the account. The server returns
this account object in a 201 (Created) response, with the account URL
in a Location header field. The account URL is used as the "kid"
value in the JWS authenticating subsequent requests by this account
(see Section 6.2). The account URL is also used for requests for
management actions on this account, as described below.
HTTP/1.1 201 Created
Content-Type: application/json
Replay-Nonce: D8s4D2mLs8Vn-goWuPQeKA
Link: <https://example.com/acme/directory>;rel="index"
Location: https://example.com/acme/acct/evOfKhNU60wg
{
"status": "valid",
"contact": [
"mailto:[email protected]",
"mailto:[email protected]"
],
"orders": "https://example.com/acme/acct/evOfKhNU60wg/orders"
}
That excerpt is from the ACME RFC section 7.3 (https://datatracker.ietf.org/doc/html/rfc8555#section-7.3). The location header returned by the new-account request should be used as the kid in future requests. But instead, we're seeing a different URL in the kid
field in the JWS.
From section 6.2:
For all other requests, the request is signed using an existing
account, and there MUST be a "kid" field. This field MUST contain
the account URL received by POSTing to the newAccount resource.
from lua-resty-auto-ssl.
Related Issues (20)
- How to determine if self signed cert is being used HOT 8
- Is it possible to change the LE CA to a custom CA? HOT 1
- How to pass username in auth option for redis.
- Does it support zerossl
- Test against newer versions of OpenResty HOT 5
- Certificates with multiple accounts HOT 1
- How to explicitly delete a domain/certificate? HOT 1
- Proxy Protocol v2 not supported
- How change allow_domains to file separate
- Security issue
- New Release? HOT 6
- Migrate letsencrypt certifcates on disk to lua-resty-open-ssl HOT 2
- Failing to use the 'has_certificate' method HOT 1
- Renewal fails with error: auto-ssl: failed to obtain lock: closed, context: ngx.timer
- Move Out Renewal Jobs to Another Server HOT 1
- Let's Encrypt response on renewal: Order's status ("valid") is not acceptable for finalization
- Update Dehydrated to 0.7.1+ to fix issuance with Let's Encrypt
- Cannot change the renewal interval
- Remove cached certificate HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lua-resty-auto-ssl.