0

RFC8555 section 7.3.1 compliance

Hello,

With my ACMEv2 client implementation  https://github.com/bruncsak/ght-acme.sh I got the following error when trying to retrieve the KID:

HTTP/1.1 400 Bad Request

{"type":"urn:ietf:params:acme:error:unsupportedContact","detail":"The contact is malformed. Supported schemes: [tel:, mailto:]","code":400,"message":"UNSUPPORTED_CONTACT","details":"HTTP 400 Bad Request"}

The section 7.3.1 of RFC8555 is rather precise that:

   The body of this response represents the account object as it existed on
   the server before this request; any fields in the request object MUST
   be ignored.

Your code is checking the body of the request, what is not supposed to be done. I already implemented a workaround in my client, but you may wish to fix that in the server code to avoid the same issue with a different ACME v2 client.

8replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Attila

     

    Thanks for reporting this case. We have added it to the bug tracker.

     

    Regards,

    Andriy

    Like 1
      • Attila
      • bruat
      • 4 yrs ago
      • Reported - view

      Hello Andriy Mahats 

      Thanks for adding it to the bug tracker.

      There is some other issue.

      When the account is not authorized to revoke a certificate, your ACME server returns 401 HTTP error code. In the example of the RFC (section 7.6) the error code is 403.

       

      Best,

      Attila

      Like
    • Hi Attila 

       

      Sorry for late reply.

      Thanks for reporting. We plan to fix it.

       However ETA of the fix is currently unknown.

       

      Regards,

      Andriy

      Like
      • Attila
      • bruat
      • 4 yrs ago
      • Reported - view

      Andriy Mahats 

      Thank you very much for the follow-up.

      Best,

      Attila

      Like
  • This bug is now fixed. It is released to our test and production environment today.

    -Mats

    Like 1
    • Attila
    • bruat
    • 4 yrs ago
    • Reported - view

    Thank you very much for the fix and the feedback.  By the way, do you have any plans to implement certificate revocation via the certificate key?

    Like
  • No plans for this yet.

    Like
    • Attila
    • bruat
    • 4 yrs ago
    • Reported - view

    Thanks for the info.

    Like
Like
  • Status Answered
  • 4 yrs agoLast active
  • 8Replies closed
  • 251Views
  • 3 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains