registration error - EAB - square/go-jose: error in cryptographic primitive

dc352 commented 2 years ago

Steps to reproduce

Not sure - we ran it a few times without a problem till we got this error - repeatedly. Any help/suggestion would be great

Debug log

"Usage: _hmac hashalg secret [outputhex]", "[Fri May 6 10:20:31 BST 2022] Register account Error: {\"detail\":\"external account binding JWS verification error: square/go-jose: error in cryptographic primitive\",\"status\":403,\"type\":\"unauthorized\"}"

./acme.sh --register-account --force --email email@email.com --server https://acme.digicert.com/v2/acme/directory/ --eab-kid b-JJL6ICszqfJmmJoU0dQpFJ77E__BXXbmfpT_8OsF0 --eab-hmac-key <key from Digicert> --ca-bundle cabundle.pem

LukevanTricht commented 2 years ago

Getting the same error(It has a different final message, but the true source of failure, _hmac is the same) with a basic registration:

$ acme.sh --register-account --accountemail <email>
Usage: _hmac hashalg secret [outputhex]
Registering account: https://acme.zerossl.com/v2/DV90
Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}
$

Neilpang commented 2 years ago

why not provide log with --debug 2?

dc352 commented 2 years ago

I will try to get the detailed log.

But we retested with an older version 3.0.2 - and that works OK.

Knight1 commented 1 year ago

I have the same Problem under macOS 10.6, acme.sh is latest from GitHub.

➜  acme.sh git:(master) ./acme.sh --register-account -m X --server google --eab-kid "X" --eab-hmac-key "X" --debug 4
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='zerossl.com,zerossl'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='letsencrypt.org,letsencrypt'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='letsencrypt.org_test,letsencrypt_test,letsencrypttest'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='buypass.com,buypass'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='buypass.com_test,buypass_test,buypasstest'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='ssl.com,sslcom'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043             _selectServer try snames='google.com,google'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7046             _selectServer match google
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7051             Selected server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_exists:534                    readlink exists=0
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_exists:534                    dirname exists=0
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2575                Lets find script dir.
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2576                _SCRIPT_='./acme.sh'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2578                _script='/Users/knight/code/acme.sh/acme.sh'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2580                _script_home='/Users/knight/code/acme.sh'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2599                Using default home:/Users/knight/.acme.sh
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607                Using config home:/Users/knight/.acme.sh
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621                ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_process:7752                  LE_WORKING_DIR='/Users/knight/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.5
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_process:7757                  Using server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_process:7760                  Running cmd: registeraccount
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607                Using config home:/Users/knight/.acme.sh
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621                ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2746                 ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2748                 _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2751                 _ACME_SERVER_PATH='directory'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2758                 CA_CONF='/Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/ca.conf'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607                Using config home:/Users/knight/.acme.sh
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621                ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2746                 ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2748                 _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2751                 _ACME_SERVER_PATH='directory'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initpath:2758                 CA_CONF='/Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/ca.conf'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_regAccount:3636               _regAccount
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initAPI:2644                  _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_get:2020                      GET
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_get:2024                      url='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_get:2025                      timeout=
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_exists:534                    curl exists=0
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_exists:534                    mktemp exists=0
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_exists:534                    wget exists=0
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_get:2037                      _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header  -L  --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.s9GxSaMt '
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_get:2089                      ret='0'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_json_decode:902               _json_decode
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_json_decode:903               _j_str='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Sat Oct  8 17:07:23 CEST 2022] ./acme.sh:_initAPI:2660                  response='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2683                  ACME_KEY_CHANGE='https://dv.acme-v02.api.pki.goog/key-change'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2684                  ACME_NEW_AUTHZ='https://dv.acme-v02.api.pki.goog/new-authz'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2685                  ACME_NEW_ORDER='https://dv.acme-v02.api.pki.goog/new-order'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2686                  ACME_NEW_ACCOUNT='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2687                  ACME_REVOKE_CERT='https://dv.acme-v02.api.pki.goog/revoke-cert'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2688                  ACME_AGREEMENT='https://pki.goog/GTS-SA.pdf'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2689                  ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1669                  RSA key
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1674                  pub_exp='010001'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    xxd exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1677                  e='AQAB'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1680                  modulus='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    xxd exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1682                  n='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1685                  jwk='{"e": "AQAB", "kty": "RSA", "n": "X"}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1765                  JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "X"}}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262                   OK
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280                   1:CA_EAB_KEY_ID='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262                   OK
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280                   2:CA_EAB_HMAC_KEY='X'
[Sat Oct  8 17:07:24 CEST 2022] _eab_id='[hidden](please add '--output-insecure' to see this value)'
[Sat Oct  8 17:07:24 CEST 2022] _eab_hmac_key='[hidden](please add '--output-insecure' to see this value)'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262                   OK
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280                   3:CA_EMAIL='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3699               eab_protected='{"alg":"HS256","kid":"X","url":"https://dv.acme-v02.api.pki.goog/new-account"}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3702               eab_protected64='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3705               eab_payload64='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3708               eab_sign_t='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    od exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3711               key_hex
Usage: _hmac hashalg secret [outputhex]
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3714               eab_signature
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3717               externalBinding=',"externalAccountBinding":{"protected":"X", "payload":"X", "signature":""}'
[Sat Oct  8 17:07:24 CEST 2022] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2113      url='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2114      payload='{"contact": ["mailto:X"], "termsOfServiceAgreed": true,"externalAccountBinding":{"protected":"X", "payload":"X", "signature":""}}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1664                  Use cached jwk for file: /Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/account.key
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2123      payload64='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2130      _request_retry_times='1'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2134      Get nonce with HEAD. ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:1897                     HEAD
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:1898                     _post_url='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:1899                     body
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:1900                     _postContentType='application/jose+json'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    curl exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    mktemp exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_exists:534                    wget exists=0
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:1912                     _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header  -L  --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.NTkXR3Xx  -I  '
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_post:2013                     _ret='0'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2138      _headers='HTTP/2 200 
cache-control: no-store
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: X-X
content-length: 0
date: Sat, 08 Oct 2022 15:07:24 GMT
content-type: text/html
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2156      _CACHED_NONCE='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2165      nonce='X-X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2180      protected='{"nonce": "X-X", "url": "https://dv.acme-v02.api.pki.goog/new-account", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "X"}}'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2183      protected64='X'
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_base64:969                    base64 single line.
[Sat Oct  8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2189      _sig_t='X'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2192      sig='X'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2195      body='{"protected": "X", "payload": "X", "signature": "X"}'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:1897                     POST
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:1898                     _post_url='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:1899                     body='{"protected": "X", "payload": "X", "signature": "X"}'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:1900                     _postContentType='application/jose+json'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_inithttp:1834                 Http already initialized.
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:1912                     _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header  -L  --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.NTkXR3Xx '
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_post:2013                     _ret='0'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2206      responseHeaders='HTTP/2 403 
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: X-X
content-type: application/problem+json
content-length: 110
date: Sat, 08 Oct 2022 15:07:25 GMT
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2209      code='403'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2211      original='{"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}'
[Sat Oct  8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2215      response='{"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}'
[Sat Oct  8 17:07:26 CEST 2022] Register account Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}

Neilpang commented 1 year ago

@Knight1 what is the verion of your openssl?

openssl  version

plese upgrade openssl and try again.

Knight1 commented 1 year ago

Uh

$ openssl  version
LibreSSL 3.3.6

devhaozi commented 5 days ago

This might be the reason: https://github.com/mholt/acmez/issues/28#issuecomment-2376040210

acmesh-official / acme.sh

registration error - EAB - square/go-jose: error in cryptographic primitive #4082

Steps to reproduce

Debug log