search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
121.52k stars 17.4k forks source link

x/crypto/acme: confusing error when ACME CA does not implement pre-authorization flow #39380

Open Xianic opened 4 years ago

Xianic commented 4 years ago

What version of Go are you using (go version)?

$ go version
go version go1.14.4 linux/amd64

Does this issue reproduce with the latest release?

yes (latest version in use)

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/[username removed]/.cache/go-build"
GOENV="/home/[username removed]/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY="github.com/[company name removed]/*,[company internal git hosting]/*"
GONOSUMDB="github.com/[company name removed]/*,[company internal git hosting]/*"
GOOS="linux"
GOPATH="/home/[username removed]/go"
GOPRIVATE="github.com/[company name removed]/*,[company internal git hosting]/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/[username removed]/dev/certman/webui/webui/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build840948656=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Using golang.org/x/crypto/acme (golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 in go.mod), I register an account with Lets Encrypt's staging v2 API and then call Client.Authorize(). This fails because Discover() returns a Directory with AuthzURL set to the empty string indicating the pre-authorization flow is not supported by the CA.

What did you expect to see?

Some form of The CA does not implement pre-authorization flow error message.

What did you see instead?

An error returned with text Post "": unsupported protocol scheme ""

dmitshur commented 4 years ago

/cc @FiloSottile @x1ddos

lz-dc commented 4 years ago

As per https://pkg.go.dev/golang.org/x/crypto/acme?tab=doc#Directory , // AuthzURL is used to initiate identifier pre-authorization flow. // Empty string indicates the flow is unsupported by the CA. Also, https://tools.ietf.org/html/rfc8555#section-7.1.1 clearly states that
If the ACME server does not implement pre-authorization (Section 7.4.1), it MUST omit the "newAuthz" field of the directory.

Guess, the check has to be added by application using acme library.