# Hide JWK from ACME client and pass KID instead # get the key ID lacme account 2>"$STDERR" || fail keyid="$(sed -n "/^Key ID: / {s///p;q}" <"$STDERR")" # prepare accountd adduser --disabled-password \ --home /home/lacme-account \ --gecos "lacme account user" \ --quiet lacme-account install -olacme-account -glacme-account -Ddm0700 -- \ ~lacme-account/.config/lacme ~lacme-account/.local/share/lacme mv -t ~lacme-account/.config/lacme /etc/lacme/account.key chown lacme-account: ~lacme-account/.config/lacme/account.key cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF privkey = file:%E/lacme/account.key logfile = %h/.local/share/lacme/accountd.log keyid = $keyid EOF SOCKET=~lacme-account/S.lacme runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$! # newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK ! lacme --socket="$SOCKET" account 2>"$STDERR" || fail grepstderr -Fxq "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails." grepstderr -Fxq "400 Bad Request (Parse error reading JWS)" grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed ! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"jwk\":{}," </tmp/signed # rotate log and restart accountd kill $PID wait rm ~lacme-account/.local/share/lacme/accountd.log runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$! # newOrder works fine without JWK lacme --socket="$SOCKET" newOrder test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key # and so does revokeCert (for requests authenticated with the account key) lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt ! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt" grepstderr -Fxq "400 Bad Request (Certificate already revoked)" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt" kill $PID wait # make sure all signing requests have a KID grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed ! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," </tmp/signed # vim: set filetype=sh :