search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.69k stars 434 forks source link

Violation of https://tools.ietf.org/html/rfc8555#section-7.3.1 #173

Closed ndilieto closed 4 years ago

ndilieto commented 4 years ago

With reference to https://github.com/ndilieto/uacme/issues/15#issuecomment-581079061

uacme checks that an account does not already exist before creating one. https://tools.ietf.org/html/rfc8555#section-7.3.1 says

If a client wishes to find the URL for an existing account and does not want an account to be created if one does not already exist, then it SHOULD do so by sending a POST request to the newAccount URL with a JWS whose payload has an "onlyReturnExisting" field set to "true ({"onlyReturnExisting": true}). If a client sends such a request and an account does not exist, then the server MUST return an error response with status code 400 (Bad Request) and type "urn:ietf:params:acme:error:accountDoesNotExist".

smallstep returns error code 404 instead, which is in violation of the above and is detected as an error by uacme. I suggest you file a bug against smallstep.

Expected behaviour

Return error code 400

Actual behaviour

Return error code 404

dopey commented 4 years ago

Great find! Thanks. I just pushed a PR to resolve this. Will get someone to look it over on Monday.