External accound binding fails with error "invalid key size for algorithm"

[grindsa]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

after upgrading to v4.16.1 registration on my private acme-server fails with the below error

grindsa@ub2204:~$  docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://192.168.14.1 -a --email "lego@foo-bar" --eab --kid test_kid2 --hmac aRrQLI5PIAtfeK2DaS9RN91WFSE9m7YX -d lego.bar.local  --http  run
2024/03/16 05:47:14 [INFO] acme: Registering account for lego@example.com
2024/03/16 05:47:14 Could not complete registration
        acme: error signing eab content: failed to External Account Binding sign content: go-jose/go-jose: invalid key size for algorithm
grindsa@ub2204:~$ 

there is no communication with the acme-server at all.

Do you have an idea what is going wrong and how fix this?

What did you see instead?

on v4.15.0 registration using the same credentials runs fine:

grindsa@ub2204:~$ docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego:v4.15.0 -s http://192.168.14.1 -a --email "lego@example.com" --eab --kid test_kid2 --hmac aRrQLI5PIAtfeK2DaS9RN91WFSE9m7YX -d lego.bar.local  --http  run

Unable to find image 'goacme/lego:v4.15.0' locally
v4.15.0: Pulling from goacme/lego
Digest: sha256:aa25887b8fa946157bc6fc0709ed3c256dcd4dcad23398389bbf3b2d16a1e32f
Status: Downloaded newer image for goacme/lego:v4.15.0
2024/03/16 05:56:24 [INFO] acme: Registering account for lego@example.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/03/16 05:56:24 [INFO] [lego.bar.local] acme: Obtaining bundled SAN certificate
2024/03/16 05:56:24 [INFO] [lego.bar.local] AuthURL: http://192.168.14.1/acme/authz/WtGqFyA0D9Re
2024/03/16 05:56:24 [INFO] [lego.bar.local] acme: Could not find solver for: tls-alpn-01
2024/03/16 05:56:24 [INFO] [lego.bar.local] acme: use http-01 solver
2024/03/16 05:56:24 [INFO] [lego.bar.local] acme: Trying to solve HTTP-01
2024/03/16 05:56:24 [INFO] [lego.bar.local] The server validated our request
2024/03/16 05:56:24 [INFO] [lego.bar.local] acme: Validations succeeded; requesting certificates
2024/03/16 05:56:25 [INFO] [lego.bar.local] Server responded with a certificate.
grindsa@ub2204:~$

How do you use lego?

Docker image

Reproduction steps

see the above commands...

Version of lego

grindsa@ub2204:~$ docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego --version
lego version 4.16.1 linux/amd64

Logs

see above

Go environment (if applicable)

docker image

[ldez]

Hello,

do you have something to help me to reproduce the problem? (a stack with your ACME server)

[grindsa]

Server side is acme2certifier. This is my project and I am using lego during regular regression. I can setup a test-environment if needed.

/G

[ldez]

If you can provide a test environment, it will help me a lot.

[grindsa]

here we go. Try "http://acme-eab.dynamop.de"

grindsa@ub2204:~$ curl http://acme-eab.dynamop.de | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   720    0   720    0     0   9294      0 --:--:-- --:--:-- --:--:--  9350
{
  "newAuthz": "http://acme-eab.dynamop.de/acme/new-authz",
  "newNonce": "http://acme-eab.dynamop.de/acme/newnonce",
  "newAccount": "http://acme-eab.dynamop.de/acme/newaccount",
  "newOrder": "http://acme-eab.dynamop.de/acme/neworders",
  "revokeCert": "http://acme-eab.dynamop.de/acme/revokecert",
  "keyChange": "http://acme-eab.dynamop.de/acme/key-change",
  "renewalInfo": "http://acme-eab.dynamop.de/acme/renewal-info",
  "meta": {
    "home": "https://github.com/grindsa/acme2certifier",
    "author": "grindsa <grindelsack@gmail.com>",
    "name": "acme2certifier",
    "version": "0.33.3",
    "externalAccountRequired": true
  },
  "d990b328306e47ff89185b281e282ca5": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}

Pls use kid "keyid_02" and hmac "bWFjXzAy".

docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego:v4.15.0 -s http://acme-eab.dynamop.de/ -a --email "lego@example.com" -eab --kid keyid_02 --hmac bWFjXzAy -d lego.bar.local  --http  run

works without issues while

docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://acme-eab.dynamop.de/ -a --email "lego@example.com" --eab --kid keyid_02 --hmac bWFjXzAy  -d lego.bar.local  --http  run

fails with the above mentioned error

[ldez]

It's because your hmac is too short (48 bits), it must be >= 256 bits

A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used
https://datatracker.ietf.org/doc/html/rfc7518#section-3.2

Related to go-jose/go-jose#85

[grindsa]

Thank you for your help. I increased the key-size and it works without problems.

I am closing this issue.