No Key ID in JWS header

[ivanjaros]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Nothing

What did you see instead?

acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: No Key ID in JWS header

How do you use lego?

Library

Reproduction steps

I am following the example of getting certificate from the https://go-acme.github.io/lego/usage/library/ but I get this error.

Version of lego

v4.6.0

Logs

The client will print
[INFO] [foo.bar] acme: Obtaining bundled SAN certificate

but

request := certificate.ObtainRequest{Domains: domains, Bundle: true}
client.Certificate.Obtain(request)

will return

acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: No Key ID in JWS header

Go environment (if applicable)

go version go1.17.5 windows/amd64

set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Foo\AppData\Local\go-build
set GOENV=C:\Users\Foo\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=G:\Go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=G:\Go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.5
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=G:\Go\src\...\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmess
age-length=0 -fdebug-prefix-map=C:\Users\Foo\AppData\Local\Temp\go-build51942
5935=/tmp/go-build -gno-record-gcc-switches

I don't think this is a bug but something is missing. Maybe the example I followed is incomplete or I might be doing something wrong...

[ldez]

Hello,

I don't reproduce your problem with the code provided in the example and a local instance of an ACME server or a real ACME server.

Can you provide more information?

[ivanjaros]

so the first step was to create account:

                myUser := somestruct{Key: ecdsa.GenerateKey(elliptic.P256(), rand.Reader), email: "[email protected]"}
                config := lego.NewConfig(&myUser)
		client, err := lego.NewClient(config)
		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
		if reg.Body.Status != "valid" {
			return
		}

		leKeyFile := path.Base(reg.URI) + ".key"

		keyData, err := myUser.MarshalKey() // x509.MarshalECPrivateKey(myUser.Key)

		ioutil.WriteFile(leKeyFile, keyData, 0644)

Then i took the key and saved it into storage as account's private key.

To create/renew the certificate, I load the key and create client instance

config := lego.NewConfig(&user) // user has the private key i just saved and email address
lego.NewClient(config)

I set the client.Challenge.SetHTTP01Provider and then call

request := certificate.ObtainRequest{Domains: domains, Bundle: true}
client.Certificate.Obtain(request)

which gives me that jwt error.

I am obviously running this on live server.

[ivanjaros]

I think this might be because in NewClient() there is:

	if reg := config.User.GetRegistration(); reg != nil {
		kid = reg.URI
	}

which I think could be the missing JWT key id. The thing is that the registration object exists only when I registered my account. So I no longer have access to that object - ever. I think I could fake it and preserve the registration/account URI, which is just LE uri with account id suffix, so the code above could fill it in. But I don't think I can find the registration uri now - or my account id. I'll try to figure something out.

[ivanjaros]

Yes, that was the issue. So when you register you have to save the account id along with the private key and email. Then, when you create new client instance, you have to provide it with user that has the registration object set and the uri must be filled with https://acme-v02.api.letsencrypt.org/acme/acct/[your account id]. You should update the documentation and possibly make the key id as required argument if the registration object is not present and create empty version of it automatically.