search

yourivw / LEClient

An easy-to-use PHP ACME v2 client library, designed to be used with LetsEncrypt.
MIT License
204 stars 98 forks source link

Change Account Key Failed #64

Closed imwis closed 5 years ago

imwis commented 5 years ago

Hi, I had a problem changing my account key. According to the response, it seems that the old key was not contained in inner JWS. But I have generated the key pair and placed them in "key/__account" directory correctly. Could you help me analyze this problem? Many thanks!

`

  | ...... 23-04-2019 17:46:53, function LEClient __construct: LEClient finished constructing 23-04-2019 17:46:55, function changeAccountKeys (function post):Array   | (   | [request] => POST https://acme-staging-v02.api.letsencrypt.org/acme/key-change   | [header] => HTTP/1.1 100 Continue   | Expires: Tue, 23 Apr 2019 17:46:56 GMT   | Cache-Control: max-age=0, no-cache, no-store   | Pragma: no-cache   |     | HTTP/1.1 400 Bad Request   | Server: nginx   | Content-Type: application/problem+json   | Content-Length: 154   | Boulder-Requester: 9006507   | Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"   | Replay-Nonce: bn6tIjeWYhXaHm3Y_AD0nrEGz7V9LfZUbhk0O6A_wCw   | Expires: Tue, 23 Apr 2019 17:46:56 GMT   | Cache-Control: max-age=0, no-cache, no-store   | Pragma: no-cache   | Date: Tue, 23 Apr 2019 17:46:56 GMT   | Connection: close   |     |     | [body] => Array   | (   | [type] => urn:ietf:params:acme:error:malformed   | [detail] => Inner JWS does not contain old key field matching current account key   | [status] => 400   | )   | ......   `

cpu commented 5 years ago

:wave: @imwis I'm not a developer of this project but I work on Let's Encrypt and helped write the ACME spec. I was curious about this issue so I took a peek. Hopefully this reply will also help @yourivw fix the bug.

It looks like LEClient implements ACME account key change as specified in ~draft-12 using a newKey field in the inner JWS body:

https://github.com/yourivw/LEClient/blob/b19053c5af91a9f8b30633bd80f7066c15ac5f6d/src/LEAccount.php#L192-L196

RFC 8555 (and draft-13+) changed how key rollover is specified. Now the inner JWS payload should be the old key (as specified in the error message you're receiving from Let's Encrypt's ACME v2 API).

This API announcement from August has more background: https://community.letsencrypt.org/t/acme-v2-draft-13-compliant-key-rollover/68953

The tl;dr is that LEClient's key rollover implementation needs to be updated for RFC 8555.

imwis commented 5 years ago

@cpu Hi! According to your advice, I tried modifying the code of LEAccount.php and change the innerPayload from newKey to oldKey. It does work! Thanks for your help.

cpu commented 5 years ago

@imwis Glad to hear it!

yourivw commented 5 years ago

@imwis thank you for the help! With a slight delay, I released version 1.1.7, which fixes this bug.