[Bug]: Can't Deactivate an Authorization

[paulcalabro]

Steps to Reproduce

1. Run an Ansible playbook that tries to deactivate all authz for an existing ACME v2 order. (e.g. https://docs.ansible.com/ansible/latest//collections/community/crypto/acme_certificate_deactivate_authz_module.html)
2. Observe this is the Step CA logs: expected POST-as-GET
3. Depending on the particular Ansible module, you'll get a warning indication the authz could not be deactivated.

Your Environment

• OS - Running in a Podman container
• step-ca Version - 0.28.1

Expected Behavior

IIUC the RFC correctly, the JWS payload should not be empty and should instead contain something like this:

{
    "status": "deactivated"
}

Actual Behavior

Get the error "expected POST-as-GET" and the authz is not deactivated.

Additional Context

• https://github.com/smallstep/certificates/blob/b22e186ae944440f03386e8c45bd9db229c4dc7d/acme/api/middleware.go#L558
• https://docs.ansible.com/ansible/latest//collections/community/crypto/acme_certificate_deactivate_authz_module.html
• https://github.com/ansible-collections/community.crypto/blob/a42e541326796aae2b5ff02504af925df14546e5/plugins/module_utils/acme/challenges.py#L325-L340
• • https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).