Open dc352 opened 2 years ago
Getting the same error(It has a different final message, but the true source of failure, _hmac
is the same) with a basic registration:
$ acme.sh --register-account --accountemail <email>
Usage: _hmac hashalg secret [outputhex]
Registering account: https://acme.zerossl.com/v2/DV90
Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}
$
why not provide log with --debug 2
?
I will try to get the detailed log.
But we retested with an older version 3.0.2 - and that works OK.
I have the same Problem under macOS 10.6, acme.sh is latest from GitHub.
➜ acme.sh git:(master) ./acme.sh --register-account -m X --server google --eab-kid "X" --eab-hmac-key "X" --debug 4
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='zerossl.com,zerossl'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='letsencrypt.org,letsencrypt'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='letsencrypt.org_test,letsencrypt_test,letsencrypttest'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='buypass.com,buypass'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='buypass.com_test,buypass_test,buypasstest'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='ssl.com,sslcom'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7043 _selectServer try snames='google.com,google'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7046 _selectServer match google
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_selectServer:7051 Selected server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_exists:534 readlink exists=0
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_exists:534 dirname exists=0
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2575 Lets find script dir.
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2576 _SCRIPT_='./acme.sh'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2578 _script='/Users/knight/code/acme.sh/acme.sh'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2580 _script_home='/Users/knight/code/acme.sh'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2599 Using default home:/Users/knight/.acme.sh
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607 Using config home:/Users/knight/.acme.sh
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621 ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_process:7752 LE_WORKING_DIR='/Users/knight/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.5
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_process:7757 Using server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_process:7760 Running cmd: registeraccount
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607 Using config home:/Users/knight/.acme.sh
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621 ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2746 ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2748 _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2751 _ACME_SERVER_PATH='directory'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2758 CA_CONF='/Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/ca.conf'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2607 Using config home:/Users/knight/.acme.sh
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:__initHome:2621 ACCOUNT_CONF_PATH='/Users/knight/.acme.sh/account.conf'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2746 ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2748 _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2751 _ACME_SERVER_PATH='directory'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initpath:2758 CA_CONF='/Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/ca.conf'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_regAccount:3636 _regAccount
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initAPI:2644 _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_get:2020 GET
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_get:2024 url='https://dv.acme-v02.api.pki.goog/directory'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_get:2025 timeout=
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_exists:534 curl exists=0
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_exists:534 mktemp exists=0
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_exists:534 wget exists=0
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_get:2037 _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header -L --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.s9GxSaMt '
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_get:2089 ret='0'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_json_decode:902 _json_decode
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_json_decode:903 _j_str='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Sat Oct 8 17:07:23 CEST 2022] ./acme.sh:_initAPI:2660 response='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2683 ACME_KEY_CHANGE='https://dv.acme-v02.api.pki.goog/key-change'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2684 ACME_NEW_AUTHZ='https://dv.acme-v02.api.pki.goog/new-authz'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2685 ACME_NEW_ORDER='https://dv.acme-v02.api.pki.goog/new-order'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2686 ACME_NEW_ACCOUNT='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2687 ACME_REVOKE_CERT='https://dv.acme-v02.api.pki.goog/revoke-cert'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2688 ACME_AGREEMENT='https://pki.goog/GTS-SA.pdf'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_initAPI:2689 ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1669 RSA key
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1674 pub_exp='010001'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 xxd exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1677 e='AQAB'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1680 modulus='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 xxd exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1682 n='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1685 jwk='{"e": "AQAB", "kty": "RSA", "n": "X"}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1765 JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "X"}}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262 OK
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280 1:CA_EAB_KEY_ID='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262 OK
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280 2:CA_EAB_HMAC_KEY='X'
[Sat Oct 8 17:07:24 CEST 2022] _eab_id='[hidden](please add '--output-insecure' to see this value)'
[Sat Oct 8 17:07:24 CEST 2022] _eab_hmac_key='[hidden](please add '--output-insecure' to see this value)'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2262 OK
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_setopt:2280 3:CA_EMAIL='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3699 eab_protected='{"alg":"HS256","kid":"X","url":"https://dv.acme-v02.api.pki.goog/new-account"}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3702 eab_protected64='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3705 eab_payload64='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3708 eab_sign_t='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 od exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3711 key_hex
Usage: _hmac hashalg secret [outputhex]
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3714 eab_signature
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_regAccount:3717 externalBinding=',"externalAccountBinding":{"protected":"X", "payload":"X", "signature":""}'
[Sat Oct 8 17:07:24 CEST 2022] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2113 url='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2114 payload='{"contact": ["mailto:X"], "termsOfServiceAgreed": true,"externalAccountBinding":{"protected":"X", "payload":"X", "signature":""}}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_calcjwk:1664 Use cached jwk for file: /Users/knight/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/account.key
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2123 payload64='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2130 _request_retry_times='1'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2134 Get nonce with HEAD. ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:1897 HEAD
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:1898 _post_url='https://dv.acme-v02.api.pki.goog/new-nonce'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:1899 body
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:1900 _postContentType='application/jose+json'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 curl exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 mktemp exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_exists:534 wget exists=0
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:1912 _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header -L --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.NTkXR3Xx -I '
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_post:2013 _ret='0'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2138 _headers='HTTP/2 200
cache-control: no-store
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: X-X
content-length: 0
date: Sat, 08 Oct 2022 15:07:24 GMT
content-type: text/html
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2156 _CACHED_NONCE='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2165 nonce='X-X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2180 protected='{"nonce": "X-X", "url": "https://dv.acme-v02.api.pki.goog/new-account", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "X"}}'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2183 protected64='X'
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_base64:969 base64 single line.
[Sat Oct 8 17:07:24 CEST 2022] ./acme.sh:_send_signed_request:2189 _sig_t='X'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2192 sig='X'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2195 body='{"protected": "X", "payload": "X", "signature": "X"}'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:1897 POST
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:1898 _post_url='https://dv.acme-v02.api.pki.goog/new-account'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:1899 body='{"protected": "X", "payload": "X", "signature": "X"}'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:1900 _postContentType='application/jose+json'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_inithttp:1834 Http already initialized.
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:1912 _CURL='curl --silent --dump-header /Users/knight/.acme.sh/http.header -L --trace-ascii /var/folders/ys/ldbdt_gd1jxb0h40nhy14bvc0000gn/T/tmp.NTkXR3Xx '
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_post:2013 _ret='0'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2206 responseHeaders='HTTP/2 403
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: X-X
content-type: application/problem+json
content-length: 110
date: Sat, 08 Oct 2022 15:07:25 GMT
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2209 code='403'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2211 original='{"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}'
[Sat Oct 8 17:07:25 CEST 2022] ./acme.sh:_send_signed_request:2215 response='{"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}'
[Sat Oct 8 17:07:26 CEST 2022] Register account Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"External Account Binding JWS verification failed"}
@Knight1 what is the verion of your openssl?
openssl version
plese upgrade openssl and try again.
Uh
$ openssl version
LibreSSL 3.3.6
This might be the reason: https://github.com/mholt/acmez/issues/28#issuecomment-2376040210
Steps to reproduce
Not sure - we ran it a few times without a problem till we got this error - repeatedly. Any help/suggestion would be great
Debug log
"Usage: _hmac hashalg secret [outputhex]", "[Fri May 6 10:20:31 BST 2022] Register account Error: {\"detail\":\"external account binding JWS verification error: square/go-jose: error in cryptographic primitive\",\"status\":403,\"type\":\"unauthorized\"}"