External Account Binding doesn't work for Google

[derkaan]

I'm trying to use acme.sh in combination with google but end up in the same issue all the time.

Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFeQ"}

I tried various things and also can't get the issue out of the logs. Maybe someone can help or tell me where to look for a solution. Google research and in this wiki I couldn't find any working solution.

Steps to reproduce

acme.sh has been upgraded to the latest version available at time of writing

acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.8

These are the steps I took:

Login to google and external-account-keys

gcloud auth login # then followed the steps 
gcloud publicca external-account-keys create --project myproject

I've noted the returned values and used them when trying to create the needed certificate

acme.sh --issue    -d my.domain.net    --stateless    --server google --eab-kid 13acb6e7bf0074d6ba485bcd2ba3f58c --eab-hmac-key JvX7Wap6AkBBkcPP9zyPWF04rEcl0PLbfNFkXRhZsS1-7q96SH3eEFNiRvxofwSSbwk0BiTbo2wvy0JWdKg3bw 

Due to short time validity I also tried it with fresh secrets by requesting updated account keys, but that didn't helped either.

In case it is relevant: I'musing HAProxy and have made the according settings in haproxy.cnf too:

# truncated
    setenv ACME_THUMBPRINT 'yhCSEe7PqnZqcQ9RrokE2jbs5s9bm30ix6c8tyTYN5o'
    stats socket /var/run/haproxy/admin.sock level admin mode 660
# truncated

But as I'm getting the error I couldn't verify funcionality on HAProxy side...

As I'm struggling for days now. Your help is really appreciated.

Debug log

acme.sh --issue    -d my.domain.net    --stateless    --server google --eab-kid 13acb6e7bf0074d6ba485bcd2ba3f58c --eab-hmac-key JvX7Wap6AkBBkcPP9zyPWF04rEcl0PLbfNFkXRhZsS1-7q96SH3eEFNiRvxofwSSbwk0BiTbo2wvy0JWdKg3bw --debug 2
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='zerossl.com,zerossl'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='letsencrypt.org,letsencrypt'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='letsencrypt.org_test,letsencrypt_test,letsencrypttest'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='buypass.com,buypass'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='buypass.com_test,buypass_test,buypasstest'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='ssl.com,sslcom'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='google.com,google'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer match google
[Wed Mar 27 08:05:15 UTC 2024] Selected server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:15 UTC 2024] Lets find script dir.
[Wed Mar 27 08:05:15 UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] _script='/home/acme/acme.sh/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] _script_home='/home/acme/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] Using default home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] LE_WORKING_DIR='/home/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Wed Mar 27 08:05:15 UTC 2024] Using server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:15 UTC 2024] Running cmd: issue
[Wed Mar 27 08:05:15 UTC 2024] _main_domain='my.domain.net'
[Wed Mar 27 08:05:15 UTC 2024] _alt_domains='no'
[Wed Mar 27 08:05:15 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:15 UTC 2024] _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Wed Mar 27 08:05:15 UTC 2024] _ACME_SERVER_PATH='directory'
[Wed Mar 27 08:05:15 UTC 2024] DOMAIN_PATH='/home/acme/.acme.sh/my.domain.net_ecc'
[Wed Mar 27 08:05:16 UTC 2024] 'stateless' does not contain 'dns'
[Wed Mar 27 08:05:16 UTC 2024] Le_NextRenewTime
[Wed Mar 27 08:05:16 UTC 2024] Using ACME_DIRECTORY: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:16 UTC 2024] _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:16 UTC 2024] GET
[Wed Mar 27 08:05:16 UTC 2024] url='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:16 UTC 2024] timeout=
[Wed Mar 27 08:05:16 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.kR4Y0tuTiK  -g '
[Wed Mar 27 08:05:16 UTC 2024] ret='0'
[Wed Mar 27 08:05:16 UTC 2024] response='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","renewalInfo":"https://dv.acme-v02.api.pki.goog/renewal-info","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Wed Mar 27 08:05:16 UTC 2024] ACME_KEY_CHANGE='https://dv.acme-v02.api.pki.goog/key-change'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_AUTHZ='https://dv.acme-v02.api.pki.goog/new-authz'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_ORDER='https://dv.acme-v02.api.pki.goog/new-order'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_ACCOUNT='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:16 UTC 2024] ACME_REVOKE_CERT='https://dv.acme-v02.api.pki.goog/revoke-cert'
[Wed Mar 27 08:05:16 UTC 2024] ACME_AGREEMENT='https://pki.goog/GTS-SA.pdf'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] Using CA: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] _on_before_issue
[Wed Mar 27 08:05:17 UTC 2024] _chk_main_domain='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] _chk_alt_domains
[Wed Mar 27 08:05:17 UTC 2024] 'stateless' does not contain 'no'
[Wed Mar 27 08:05:17 UTC 2024] Le_LocalAddress
[Wed Mar 27 08:05:17 UTC 2024] d='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] Check for domain='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] _currentRoot='stateless'
[Wed Mar 27 08:05:17 UTC 2024] d
[Wed Mar 27 08:05:17 UTC 2024] 'stateless' does not contain 'apache'
[Wed Mar 27 08:05:17 UTC 2024] _saved_account_key_hash
[Wed Mar 27 08:05:17 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:17 UTC 2024] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:17 UTC 2024] _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Wed Mar 27 08:05:17 UTC 2024] _ACME_SERVER_PATH='directory'
[Wed Mar 27 08:05:17 UTC 2024] _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] EC key
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] =======Begin Send Signed Request=======
[Wed Mar 27 08:05:17 UTC 2024] url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:17 UTC 2024] payload='{"contact": ["mailto:kk@dicula.com"], "termsOfServiceAgreed": true}'
[Wed Mar 27 08:05:17 UTC 2024] Use cached jwk for file: /home/acme/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/account.key
[Wed Mar 27 08:05:17 UTC 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] HEAD
[Wed Mar 27 08:05:17 UTC 2024] _post_url='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] body
[Wed Mar 27 08:05:17 UTC 2024] _postContentType='application/jose+json'
[Wed Mar 27 08:05:17 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.nXJcOydbV6  -g  -I  '
[Wed Mar 27 08:05:17 UTC 2024] _ret='0'
[Wed Mar 27 08:05:17 UTC 2024] _headers='HTTP/2 200
cache-control: no-store
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8
content-length: 0
date: Wed, 27 Mar 2024 08:05:17 GMT
content-type: text/html
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
'
[Wed Mar 27 08:05:17 UTC 2024] _CACHED_NONCE='AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8'
[Wed Mar 27 08:05:17 UTC 2024] nonce='AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8'
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] POST
[Wed Mar 27 08:05:17 UTC 2024] _post_url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:17 UTC 2024] body='{"protected": "eyJub25jZSI6ICJBRVFBQUFBS1Fnb3FkSGx3WlM1bmIyOW5iR1ZoY0dsekxtTnZiUzl6WldOMWNtbDBlVjkwWVhKemFXVnlMazV2Ym1ObEVoUUtEQWk5cG8td0JoRFVpdTJTQXhEMV9fN1lBZ0FQa0FqRXRSZDdtTHVIN1lka3AxaXphN3h5ZVFHdU1POCIsICJ1cmwiOiAiaHR0cHM6Ly9kdi5hY21lLXYwMi5hcGkucGtpLmdvb2cvbmV3LWFjY291bnQiLCAiYWxnIjogIkVTMjU2IiwgImp3ayI6IHsiY3J2IjogIlAtMjU2IiwgImt0eSI6ICJFQyIsICJ4IjogImZYdTNKMVVwRTd3QkdPR0pHdlE4b0hWWWxhVDZhTmRBLXpNOUhRaXRaUmciLCAieSI6ICJlYlFJSHB5OHFERm03bDRZRHZaejJ5ODNCaW1pWHhnejcxaVBHS2hTU2dBIn19", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86a2tAZGljdWxhLmNvbSJdLCAidGVybXNPZlNlcnZpY2VBZ3JlZWQiOiB0cnVlfQ", "signature": "N2SUiIzPbOQFvSMVq_bNtIqL83bwUIonRvbNObg3jPGBInfPeslrpeJZoGsaxQfTPs2u8GVxl2F8NtD93m1p6w"}'
[Wed Mar 27 08:05:17 UTC 2024] _postContentType='application/jose+json'
[Wed Mar 27 08:05:17 UTC 2024] Http already initialized.
[Wed Mar 27 08:05:17 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.nXJcOydbV6  -g '
[Wed Mar 27 08:05:18 UTC 2024] _ret='0'
[Wed Mar 27 08:05:18 UTC 2024] responseHeaders='HTTP/2 400
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi-po-wBhDXmvz2AhDVobb1BAAPkAjEX4ctjO2eLiOyPyxiMH2RRtOBrxQ
content-type: application/problem+json
content-length: 240
date: Wed, 27 Mar 2024 08:05:18 GMT
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
'
[Wed Mar 27 08:05:18 UTC 2024] code='400'
[Wed Mar 27 08:05:18 UTC 2024] original='{"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}'
[Wed Mar 27 08:05:18 UTC 2024] response='{"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}'
[Wed Mar 27 08:05:18 UTC 2024] Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}
[Wed Mar 27 08:05:18 UTC 2024] _on_issue_err
[Wed Mar 27 08:05:18 UTC 2024] Please add '--debug' or '--log' to check more details.
[Wed Mar 27 08:05:18 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Wed Mar 27 08:05:18 UTC 2024] _chk_vlist
[Wed Mar 27 08:05:18 UTC 2024] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.4 on 06 Nov 2022 08:15:51
   running on Linux version #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01), release 6.1.0-18-amd64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

[github-actions[bot]]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[derkaan]

As mentioned acme.sh has been upgraded as well as the debug log shows the output of the "debug 2" option

[Neilpang]

use register-account first: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA