RFC8555 section 7.3.1 compliance
Hello,
With my ACMEv2 client implementation https://github.com/bruncsak/ght-acme.sh I got the following error when trying to retrieve the KID:
HTTP/1.1 400 Bad Request
{"type":"urn:ietf:params:acme:error:unsupportedContact","detail":"The contact is malformed. Supported schemes: [tel:, mailto:]","code":400,"message":"UNSUPPORTED_CONTACT","details":"HTTP 400 Bad Request"}
The section 7.3.1 of RFC8555 is rather precise that:
The body of this response represents the account object as it existed on the server before this request; any fields in the request object MUST be ignored.
Your code is checking the body of the request, what is not supposed to be done. I already implemented a workaround in my client, but you may wish to fix that in the server code to avoid the same issue with a different ACME v2 client.
-
Hi Attila
Thanks for reporting this case. We have added it to the bug tracker.
Regards,
Andriy
-
Hello Andriy Mahats
Thanks for adding it to the bug tracker.
There is some other issue.
When the account is not authorized to revoke a certificate, your ACME server returns 401 HTTP error code. In the example of the RFC (section 7.6) the error code is 403.
Best,
Attila
-
Hi Attila
Sorry for late reply.
Thanks for reporting. We plan to fix it.
However ETA of the fix is currently unknown.
Regards,
Andriy
-
Andriy Mahats
Thank you very much for the follow-up.
Best,
Attila
-
-
This bug is now fixed. It is released to our test and production environment today.
-Mats
-
Thank you very much for the fix and the feedback. By the way, do you have any plans to implement certificate revocation via the certificate key?
-
No plans for this yet.
-
Thanks for the info.
