JWS verification error #1006
Comments
|
Hello, I think the error is related to caddy, maybe you are using a corrupted private key. |
|
Interesting, I haven't considered that possibility. @ldez Is there any way for lego to check if a key is corrupted before trying to use it? For example, parse or validate it? If the key is replaced, is there way to update an account's key with lego yet? |
|
@ldez The private key and its associated reg resource is confirmed to be valid: https://caddy.community/t/acme-auto-ssl-suddenly-stopped-working/6147/31?u=matt So there is still something afoot... let me know how you want to go about pinpointing this. |
|
Do you have any logs of the JWS that doesn't validate? |
|
I've pasted all the logs at the top. I don't have anything else regarding the error. |
|
Unfortunately the logs at the top don't contain the JWS object. Perhaps @mholt knows if it's possible to have Caddy log the JWS with a config change or whether it would require changes in Caddy or Lego's code to achieve. |
|
JWS's are abstracted away -- Caddy (and CertMagic) doesn't touch them at all. The logs would have to be emitted from lego. |
|
@mxrlkn Can you keep your account key and metadata handy so that this can continue to be debugged while you use another one in the meantime? This is interesting, since it's not exactly kosher to share your private key to have others debug it... 😅 thanks for your patience. @ldez where do you recommend adding logs for this? |
|
Yes. It's on my test setup which isn't that important 🙂 |
|
You check the private key in Maybe it's related to the algorithms used to create the private key. |
|
Thanks. Do you think lego could also add more logs in relevant parts of the challenge process so that we can see what the actual errors are? |
|
for now and related to the logger behavior, it will be far too verbose and precise to have a real interest for the majority of users. |
|
It's too verbose to emit logs when there are errors? |
|
Sorry misread, no problem to log the errors. In this case, I think we already logs the error, and put the private key in a logs seems unsafe. I don't know what is the safe way to get more information in this case. |
|
I have an idea to improve errors, stay tune. |
To start with I think the JWS and the account public key needed to verify the JWS would be sufficient. |
|
We ran into the same issue with using Caddy 1.0.4. When we requested a new LetsEncrypt account certification requests went through again. |
|
Experienced the same thing using Caddy 1.0.4, too. Switched to a new LetsEncrypt user and it worked again. |
|
I experienced the same problem with |
|
Hi! I have found a way to reproduce this error. I have detailed the instructions here, in the context of NixOS, however the same instructions still apply running lego on its own (just change the paths). It seems to happen when the account ID and the key in the keys folder are mismatched. Let's Encrypt makes a 1:1 relation with accounts and keys, as their documentation hints, and this can return the error people are seeing. Would any of the lego devs know why this would happen, seemingly at random? Would lego be able to deal with this situation and correct the account ID automatically? |
I don't see any reason, the random doesn't exist 😉 so we have to find the real reason behind that.
The first step will be to detect the problem. |
|
I ran into the same problem. 2024/08/13 14:07:25 [INFO] [xxx.xxxx.xxx] acme: Obtaining SAN certificate
2024/08/13 14:07:26 failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification errorI'm using the previous registration and key, the |
After getting certificates for about 45 domains, caddy suddenly stopped and I got this error:
Happens on all new domains I add.
I'm running caddy 1.0.3.
The text was updated successfully, but these errors were encountered: