Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/acme: confusing error when ACME CA does not implement pre-authorization flow #39380

Open
Xianic opened this issue Jun 3, 2020 · 2 comments

Comments

@Xianic
Copy link

@Xianic Xianic commented Jun 3, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.4 linux/amd64

Does this issue reproduce with the latest release?

yes (latest version in use)

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/[username removed]/.cache/go-build"
GOENV="/home/[username removed]/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY="github.com/[company name removed]/*,[company internal git hosting]/*"
GONOSUMDB="github.com/[company name removed]/*,[company internal git hosting]/*"
GOOS="linux"
GOPATH="/home/[username removed]/go"
GOPRIVATE="github.com/[company name removed]/*,[company internal git hosting]/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/[username removed]/dev/certman/webui/webui/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build840948656=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Using golang.org/x/crypto/acme (golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 in go.mod), I register an account with Lets Encrypt's staging v2 API and then call Client.Authorize(). This fails because Discover() returns a Directory with AuthzURL set to the empty string indicating the pre-authorization flow is not supported by the CA.

What did you expect to see?

Some form of The CA does not implement pre-authorization flow error message.

What did you see instead?

An error returned with text Post "": unsupported protocol scheme ""

@dmitshur dmitshur changed the title Confusing error when ACME CA does not implement pre-authorization flow x/crypto/acme: confusing error when ACME CA does not implement pre-authorization flow Jun 4, 2020
@gopherbot gopherbot added this to the Unreleased milestone Jun 4, 2020
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Jun 4, 2020

@lz-dc
Copy link

@lz-dc lz-dc commented Jun 4, 2020

As per https://pkg.go.dev/golang.org/x/crypto/acme?tab=doc#Directory ,
// AuthzURL is used to initiate identifier pre-authorization flow.
// Empty string indicates the flow is unsupported by the CA.
Also, https://tools.ietf.org/html/rfc8555#section-7.1.1 clearly states that
If the ACME server does not implement pre-authorization (Section 7.4.1), it MUST omit the "newAuthz" field of the directory.

Guess, the check has to be added by application using acme library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants