pebble
pebble copied to clipboard
JWS url calculation can't handle absoluteURI form Request-URIs
https://tools.ietf.org/html/rfc2616#section-5.1.2
To allow for transition to absoluteURIs in all requests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though HTTP/1.1 clients will only generate them in requests to proxies.
Curiously, this seems to have come up twice in recent times on the forums.
POST https://192.168.1.112:14000/sign-me-up HTTP/1.1
Host: 192.168.1.112:14009
User-Agent: eggsampler-acme/v3 Go-http-client/1.1
Content-Length: 548
Content-Type: application/jose+json
Accept-Encoding: gzip
{"protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6IjBXamdrcVlnTk1uVDlUeThURml5N2VibWFJdU05V1AwQUdiZnZBTmFTZmMiLCJ5IjoiSzJIX3NTdGozOFVMUlc2Vml0VUJ0RkIzY0NGTGR1YTN6Z3otbUkyUTF1cyJ9LCJub25jZSI6IkNRVE9VRDg1QlBsaXVKX0FnVTB6enciLCJ1cmwiOiJodHRwOi8vMTkyLjE2OC4xLjExMjoxNDAwOS9zaWduLW1lLXVwIn0","payload":"eyJvbmx5UmV0dXJuRXhpc3RpbmciOmZhbHNlLCJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwiZXh0ZXJuYWxBY2NvdW50QmluZGluZyI6bnVsbH0","signature":"_oy0VNfWsxVk_e11WR-dm0T6raI6n-juBiCrzd-ACprfbJDD2OqmYhkxP43T7NsIY6ssdeoMS0dWtNgUXXqr0A"}
HTTP/1.1 400 Bad Request
Cache-Control: public, max-age=0, no-cache
Content-Type: application/problem+json; charset=utf-8
Link: <http://192.168.1.112:14000/dir>;rel="index"
Replay-Nonce: FT1FqcM6jzBo_o6HWOGtcQ
Date: Wed, 17 Mar 2021 22:14:55 GMT
Content-Length: 252
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "JWS header parameter 'url' incorrect. Expected \"https://192.168.1.112:14000/https://192.168.1.112:14000/sign-me-up\", got \"http://192.168.1.112:14009/sign-me-up\"",
"status": 400
}
(Excuse the scheme mismatch, I hacked Pebble a little to make packet captures easier, I promise the same thing happens on master
).
I checked and Let's Encrypt is unaffected, probably because the nginx frontend or whatever is dealing with it. Bare Boulder might have the same behavior as Pebble, but I didn't check.
Huh, that's really interesting! I was not aware of the absoluteURI form, let alone the RFC requirement to implement it.
I ran into this bug as well, just now; the ACME client I was testing sent a full URL rather than a path.