pebble icon indicating copy to clipboard operation
pebble copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

JWS url calculation can't handle absoluteURI form Request-URIs

Open alexzorin opened this issue 3 years ago • 2 comments

https://tools.ietf.org/html/rfc2616#section-5.1.2

To allow for transition to absoluteURIs in all requests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though HTTP/1.1 clients will only generate them in requests to proxies.

Curiously, this seems to have come up twice in recent times on the forums.

POST https://192.168.1.112:14000/sign-me-up HTTP/1.1
Host: 192.168.1.112:14009
User-Agent: eggsampler-acme/v3 Go-http-client/1.1
Content-Length: 548
Content-Type: application/jose+json
Accept-Encoding: gzip

{"protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6IjBXamdrcVlnTk1uVDlUeThURml5N2VibWFJdU05V1AwQUdiZnZBTmFTZmMiLCJ5IjoiSzJIX3NTdGozOFVMUlc2Vml0VUJ0RkIzY0NGTGR1YTN6Z3otbUkyUTF1cyJ9LCJub25jZSI6IkNRVE9VRDg1QlBsaXVKX0FnVTB6enciLCJ1cmwiOiJodHRwOi8vMTkyLjE2OC4xLjExMjoxNDAwOS9zaWduLW1lLXVwIn0","payload":"eyJvbmx5UmV0dXJuRXhpc3RpbmciOmZhbHNlLCJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwiZXh0ZXJuYWxBY2NvdW50QmluZGluZyI6bnVsbH0","signature":"_oy0VNfWsxVk_e11WR-dm0T6raI6n-juBiCrzd-ACprfbJDD2OqmYhkxP43T7NsIY6ssdeoMS0dWtNgUXXqr0A"}


HTTP/1.1 400 Bad Request
Cache-Control: public, max-age=0, no-cache
Content-Type: application/problem+json; charset=utf-8
Link: <http://192.168.1.112:14000/dir>;rel="index"
Replay-Nonce: FT1FqcM6jzBo_o6HWOGtcQ
Date: Wed, 17 Mar 2021 22:14:55 GMT
Content-Length: 252

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "JWS header parameter 'url' incorrect. Expected \"https://192.168.1.112:14000/https://192.168.1.112:14000/sign-me-up\", got \"http://192.168.1.112:14009/sign-me-up\"",
  "status": 400
}

(Excuse the scheme mismatch, I hacked Pebble a little to make packet captures easier, I promise the same thing happens on master).

I checked and Let's Encrypt is unaffected, probably because the nginx frontend or whatever is dealing with it. Bare Boulder might have the same behavior as Pebble, but I didn't check.

alexzorin avatar Mar 17 '21 22:03 alexzorin

Huh, that's really interesting! I was not aware of the absoluteURI form, let alone the RFC requirement to implement it.

jsha avatar Mar 18 '21 01:03 jsha

I ran into this bug as well, just now; the ACME client I was testing sent a full URL rather than a path.

joshtriplett avatar Oct 17 '23 06:10 joshtriplett