Skip to content

External Account Binding doesn't work for Google #5070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
derkaan opened this issue Mar 27, 2024 · 3 comments
Closed

External Account Binding doesn't work for Google #5070

derkaan opened this issue Mar 27, 2024 · 3 comments

Comments

@derkaan
Copy link

derkaan commented Mar 27, 2024

I'm trying to use acme.sh in combination with google but end up in the same issue all the time.

Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFeQ"}

I tried various things and also can't get the issue out of the logs.
Maybe someone can help or tell me where to look for a solution.
Google research and in this wiki I couldn't find any working solution.

Steps to reproduce

acme.sh has been upgraded to the latest version available at time of writing

acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.8

These are the steps I took:

Login to google and external-account-keys

gcloud auth login # then followed the steps 
gcloud publicca external-account-keys create --project myproject

I've noted the returned values and used them when trying to create the needed certificate

acme.sh --issue    -d my.domain.net    --stateless    --server google --eab-kid 13acb6e7bf0074d6ba485bcd2ba3f58c --eab-hmac-key JvX7Wap6AkBBkcPP9zyPWF04rEcl0PLbfNFkXRhZsS1-7q96SH3eEFNiRvxofwSSbwk0BiTbo2wvy0JWdKg3bw

Due to short time validity I also tried it with fresh secrets by requesting updated account keys, but that didn't helped either.

In case it is relevant: I'musing HAProxy and have made the according settings in haproxy.cnf too:

# truncated
	setenv ACME_THUMBPRINT 'yhCSEe7PqnZqcQ9RrokE2jbs5s9bm30ix6c8tyTYN5o'
	stats socket /var/run/haproxy/admin.sock level admin mode 660
# truncated

But as I'm getting the error I couldn't verify funcionality on HAProxy side...

As I'm struggling for days now. Your help is really appreciated.

Debug log

acme.sh --issue    -d my.domain.net    --stateless    --server google --eab-kid 13acb6e7bf0074d6ba485bcd2ba3f58c --eab-hmac-key JvX7Wap6AkBBkcPP9zyPWF04rEcl0PLbfNFkXRhZsS1-7q96SH3eEFNiRvxofwSSbwk0BiTbo2wvy0JWdKg3bw --debug 2
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='zerossl.com,zerossl'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='letsencrypt.org,letsencrypt'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='letsencrypt.org_test,letsencrypt_test,letsencrypttest'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='buypass.com,buypass'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='buypass.com_test,buypass_test,buypasstest'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='ssl.com,sslcom'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer try snames='google.com,google'
[Wed Mar 27 08:05:15 UTC 2024] _selectServer match google
[Wed Mar 27 08:05:15 UTC 2024] Selected server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:15 UTC 2024] Lets find script dir.
[Wed Mar 27 08:05:15 UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] _script='/home/acme/acme.sh/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] _script_home='/home/acme/acme.sh'
[Wed Mar 27 08:05:15 UTC 2024] Using default home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] LE_WORKING_DIR='/home/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Wed Mar 27 08:05:15 UTC 2024] Using server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:15 UTC 2024] Running cmd: issue
[Wed Mar 27 08:05:15 UTC 2024] _main_domain='my.domain.net'
[Wed Mar 27 08:05:15 UTC 2024] _alt_domains='no'
[Wed Mar 27 08:05:15 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:15 UTC 2024] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:15 UTC 2024] _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Wed Mar 27 08:05:15 UTC 2024] _ACME_SERVER_PATH='directory'
[Wed Mar 27 08:05:15 UTC 2024] DOMAIN_PATH='/home/acme/.acme.sh/my.domain.net_ecc'
[Wed Mar 27 08:05:16 UTC 2024] 'stateless' does not contain 'dns'
[Wed Mar 27 08:05:16 UTC 2024] Le_NextRenewTime
[Wed Mar 27 08:05:16 UTC 2024] Using ACME_DIRECTORY: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:16 UTC 2024] _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:16 UTC 2024] GET
[Wed Mar 27 08:05:16 UTC 2024] url='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:16 UTC 2024] timeout=
[Wed Mar 27 08:05:16 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.kR4Y0tuTiK  -g '
[Wed Mar 27 08:05:16 UTC 2024] ret='0'
[Wed Mar 27 08:05:16 UTC 2024] response='{"newNonce":"https://dv.acme-v02.api.pki.goog/new-nonce","newAccount":"https://dv.acme-v02.api.pki.goog/new-account","newOrder":"https://dv.acme-v02.api.pki.goog/new-order","newAuthz":"https://dv.acme-v02.api.pki.goog/new-authz","revokeCert":"https://dv.acme-v02.api.pki.goog/revoke-cert","keyChange":"https://dv.acme-v02.api.pki.goog/key-change","renewalInfo":"https://dv.acme-v02.api.pki.goog/renewal-info","meta":{"termsOfService":"https://pki.goog/GTS-SA.pdf","website":"https://pki.goog","caaIdentities":["pki.goog"],"externalAccountRequired":true}}'
[Wed Mar 27 08:05:16 UTC 2024] ACME_KEY_CHANGE='https://dv.acme-v02.api.pki.goog/key-change'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_AUTHZ='https://dv.acme-v02.api.pki.goog/new-authz'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_ORDER='https://dv.acme-v02.api.pki.goog/new-order'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_ACCOUNT='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:16 UTC 2024] ACME_REVOKE_CERT='https://dv.acme-v02.api.pki.goog/revoke-cert'
[Wed Mar 27 08:05:16 UTC 2024] ACME_AGREEMENT='https://pki.goog/GTS-SA.pdf'
[Wed Mar 27 08:05:16 UTC 2024] ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] Using CA: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] _on_before_issue
[Wed Mar 27 08:05:17 UTC 2024] _chk_main_domain='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] _chk_alt_domains
[Wed Mar 27 08:05:17 UTC 2024] 'stateless' does not contain 'no'
[Wed Mar 27 08:05:17 UTC 2024] Le_LocalAddress
[Wed Mar 27 08:05:17 UTC 2024] d='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] Check for domain='my.domain.net'
[Wed Mar 27 08:05:17 UTC 2024] _currentRoot='stateless'
[Wed Mar 27 08:05:17 UTC 2024] d
[Wed Mar 27 08:05:17 UTC 2024] 'stateless' does not contain 'apache'
[Wed Mar 27 08:05:17 UTC 2024] _saved_account_key_hash
[Wed Mar 27 08:05:17 UTC 2024] Using config home:/home/acme/.acme.sh
[Wed Mar 27 08:05:17 UTC 2024] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed Mar 27 08:05:17 UTC 2024] _ACME_SERVER_HOST='dv.acme-v02.api.pki.goog'
[Wed Mar 27 08:05:17 UTC 2024] _ACME_SERVER_PATH='directory'
[Wed Mar 27 08:05:17 UTC 2024] _init api for server: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] EC key
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Wed Mar 27 08:05:17 UTC 2024] =======Begin Send Signed Request=======
[Wed Mar 27 08:05:17 UTC 2024] url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:17 UTC 2024] payload='{"contact": ["mailto:[email protected]"], "termsOfServiceAgreed": true}'
[Wed Mar 27 08:05:17 UTC 2024] Use cached jwk for file: /home/acme/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/account.key
[Wed Mar 27 08:05:17 UTC 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] HEAD
[Wed Mar 27 08:05:17 UTC 2024] _post_url='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed Mar 27 08:05:17 UTC 2024] body
[Wed Mar 27 08:05:17 UTC 2024] _postContentType='application/jose+json'
[Wed Mar 27 08:05:17 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.nXJcOydbV6  -g  -I  '
[Wed Mar 27 08:05:17 UTC 2024] _ret='0'
[Wed Mar 27 08:05:17 UTC 2024] _headers='HTTP/2 200
cache-control: no-store
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8
content-length: 0
date: Wed, 27 Mar 2024 08:05:17 GMT
content-type: text/html
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
'
[Wed Mar 27 08:05:17 UTC 2024] _CACHED_NONCE='AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8'
[Wed Mar 27 08:05:17 UTC 2024] nonce='AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi9po-wBhDUiu2SAxD1__7YAgAPkAjEtRd7mLuH7Ydkp1iza7xyeQGuMO8'
[Wed Mar 27 08:05:17 UTC 2024] _URGLY_PRINTF
[Wed Mar 27 08:05:17 UTC 2024] xargs
[Wed Mar 27 08:05:17 UTC 2024] POST
[Wed Mar 27 08:05:17 UTC 2024] _post_url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed Mar 27 08:05:17 UTC 2024] body='{"protected": "eyJub25jZSI6ICJBRVFBQUFBS1Fnb3FkSGx3WlM1bmIyOW5iR1ZoY0dsekxtTnZiUzl6WldOMWNtbDBlVjkwWVhKemFXVnlMazV2Ym1ObEVoUUtEQWk5cG8td0JoRFVpdTJTQXhEMV9fN1lBZ0FQa0FqRXRSZDdtTHVIN1lka3AxaXphN3h5ZVFHdU1POCIsICJ1cmwiOiAiaHR0cHM6Ly9kdi5hY21lLXYwMi5hcGkucGtpLmdvb2cvbmV3LWFjY291bnQiLCAiYWxnIjogIkVTMjU2IiwgImp3ayI6IHsiY3J2IjogIlAtMjU2IiwgImt0eSI6ICJFQyIsICJ4IjogImZYdTNKMVVwRTd3QkdPR0pHdlE4b0hWWWxhVDZhTmRBLXpNOUhRaXRaUmciLCAieSI6ICJlYlFJSHB5OHFERm03bDRZRHZaejJ5ODNCaW1pWHhnejcxaVBHS2hTU2dBIn19", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86a2tAZGljdWxhLmNvbSJdLCAidGVybXNPZlNlcnZpY2VBZ3JlZWQiOiB0cnVlfQ", "signature": "N2SUiIzPbOQFvSMVq_bNtIqL83bwUIonRvbNObg3jPGBInfPeslrpeJZoGsaxQfTPs2u8GVxl2F8NtD93m1p6w"}'
[Wed Mar 27 08:05:17 UTC 2024] _postContentType='application/jose+json'
[Wed Mar 27 08:05:17 UTC 2024] Http already initialized.
[Wed Mar 27 08:05:17 UTC 2024] _CURL='curl --silent --dump-header /home/acme/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.nXJcOydbV6  -g '
[Wed Mar 27 08:05:18 UTC 2024] _ret='0'
[Wed Mar 27 08:05:18 UTC 2024] responseHeaders='HTTP/2 400
link: <https://dv.acme-v02.api.pki.goog/directory>;rel="index"
replay-nonce: AEQAAAAKQgoqdHlwZS5nb29nbGVhcGlzLmNvbS9zZWN1cml0eV90YXJzaWVyLk5vbmNlEhQKDAi-po-wBhDXmvz2AhDVobb1BAAPkAjEX4ctjO2eLiOyPyxiMH2RRtOBrxQ
content-type: application/problem+json
content-length: 240
date: Wed, 27 Mar 2024 08:05:18 GMT
server: scaffolding on HTTPServer2
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
'
[Wed Mar 27 08:05:18 UTC 2024] code='400'
[Wed Mar 27 08:05:18 UTC 2024] original='{"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}'
[Wed Mar 27 08:05:18 UTC 2024] response='{"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}'
[Wed Mar 27 08:05:18 UTC 2024] Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.","requestID":"b6HWs8NloPH9e2jDnStFEQ"}
[Wed Mar 27 08:05:18 UTC 2024] _on_issue_err
[Wed Mar 27 08:05:18 UTC 2024] Please add '--debug' or '--log' to check more details.
[Wed Mar 27 08:05:18 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Wed Mar 27 08:05:18 UTC 2024] _chk_vlist
[Wed Mar 27 08:05:18 UTC 2024] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.4 on 06 Nov 2022 08:15:51
   running on Linux version #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01), release 6.1.0-18-amd64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
@github-actions GitHub Actions
Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

@derkaan
Copy link
Author

derkaan commented Mar 27, 2024

As mentioned acme.sh has been upgraded as well as the debug log shows the output of the "debug 2" option

@Neilpang
Copy link
Member

Neilpang commented Apr 1, 2024

use register-account first:
https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA

@Neilpang Neilpang closed this as completed Apr 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@derkaan @Neilpang