0

我有一个自定义 ACME 服务器,我想使用cert-managerKubernetes 和 ACME 协议颁发证书。

我正在使用cert-manager版本 v1.7.0。帐户已成功注册,但当我尝试颁发证书时,它被服务器拒绝,因为 JWS Protected Header 不包含RFC 8555kid中指定的字段。

   The "jwk" and "kid" fields are mutually exclusive.  Servers MUST
   reject requests that contain both.

   For newAccount requests, and for revokeCert requests authenticated by
   a certificate key, there MUST be a "jwk" field.  This field MUST
   contain the public key corresponding to the private key used to sign
   the JWS.

   For all other requests, the request is signed using an existing
   account, and there MUST be a "kid" field.  This field MUST contain
   the account URL received by POSTing to the newAccount resource.

newOrder请求的标头包含jwk,但它应该包含kid

{
  "alg": "RS256",
  "jwk": {
    "e": "AQAB",
    "kty": "RSA",
    "n": "5eOrsXP-DTjQ8Ta1lo0kAnN9EbqGjAuRGAtAW8gGSRQJu26DnDls7nB4z5eWkJXeYk6bqATIH5rqE91d1x_13xXynBNytkmKIR3nrP00i3uZdY0hI7aaDrcFjRuk1c8IYfj4mPQUsMtlJDM73aXPublSJt9ZRFVHxFv0jslqovxgYXpXPyenQkt40r1iDpHQC2wzy88Scgzg1HesiNd7gjdGhAtDKUgWfQuyNLskcY55Fhdonx8h-frJ_5S-HCLyeJ67tD7If2Q8oQBCJhuhdk12GIyEA8EoFk7YHYDdwMffyFzgbewlMgQQvaSavWeYEv9Dbw_VtFFiayNWaYxZsw"
  },
  "nonce": "9c34AdVKP7CFoVvE5nKTuu5haR1-H175n-n7BLuaMi0",
  "url": "https://localhost/api/acme/test/new-order"
}

有没有具体的配置如何告诉cert-manager使用kid?它应该根据 RFC 实现,所以我认为它应该自动执行。

有趣的是,当我切换到letsencryptACME 服务器时,请求中会cert-manager包含.而不是.kidnewOrderjwk

我没主意了...

4

0 回答 0