Zerossl Register account Error

[annieoxe]

On my server I currently have a letsencrypt certificate with no problem.
I attempt to change to zerossl and it does not allow me to do so.
My problem is located in the user registration, I have seen several Issues with the same problem but none of them has a clear solution, usually the Issue ends with the phrase "it works for me with the last code update". That answer obviously doesn't work for me, I have the latest version of acme.
I want to find out why it doesn't work because I've tested it on another server and it does work, but I can't find the difference that causes it to fail.

Mi output from ```.acme.sh/acme.sh --register-account -m myemail@gmail.com --debug 2````:

[Thu Mar 21 10:08:43 UTC 2024] Lets find script dir.
[Thu Mar 21 10:08:43 UTC 2024] _SCRIPT_='.acme.sh/acme.sh'
[Thu Mar 21 10:08:43 UTC 2024] _script='/home/ubuntu/.acme.sh/acme.sh'
[Thu Mar 21 10:08:43 UTC 2024] _script_home='/home/ubuntu/.acme.sh'
[Thu Mar 21 10:08:43 UTC 2024] Using config home:/home/ubuntu/.acme.sh
[Thu Mar 21 10:08:43 UTC 2024] LE_WORKING_DIR='/home/ubuntu/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Thu Mar 21 10:08:43 UTC 2024] Running cmd: registeraccount
[Thu Mar 21 10:08:43 UTC 2024] Using config home:/home/ubuntu/.acme.sh
[Thu Mar 21 10:08:43 UTC 2024] default_acme_server='https://acme.zerossl.com/v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Thu Mar 21 10:08:43 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] Using config home:/home/ubuntu/.acme.sh
[Thu Mar 21 10:08:43 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Thu Mar 21 10:08:43 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] _init api for server: https://acme.zerossl.com/v2/DV90
[Thu Mar 21 10:08:43 UTC 2024] GET
[Thu Mar 21 10:08:43 UTC 2024] url='https://acme.zerossl.com/v2/DV90'
[Thu Mar 21 10:08:43 UTC 2024] timeout=
[Thu Mar 21 10:08:43 UTC 2024] _CURL='curl --silent --dump-header /home/ubuntu/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.iEZznY6rgu  -g '
[Thu Mar 21 10:08:43 UTC 2024] ret='0'
[Thu Mar 21 10:08:43 UTC 2024] response='{
  "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
  "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
  "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
  "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
  "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
  "meta": {
    "termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf",
    "website": "https://zerossl.com",
    "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"],
    "externalAccountRequired": true
  }
}'
[Thu Mar 21 10:08:43 UTC 2024] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Thu Mar 21 10:08:43 UTC 2024] ACME_NEW_AUTHZ
[Thu Mar 21 10:08:43 UTC 2024] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Thu Mar 21 10:08:43 UTC 2024] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Thu Mar 21 10:08:43 UTC 2024] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Thu Mar 21 10:08:43 UTC 2024] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
[Thu Mar 21 10:08:43 UTC 2024] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Thu Mar 21 10:08:43 UTC 2024] EC key
[Thu Mar 21 10:08:43 UTC 2024] Let's try ASN1 OID
Usage: _hmac hashalg secret [outputhex]
[Thu Mar 21 10:08:44 UTC 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Thu Mar 21 10:08:44 UTC 2024] =======Begin Send Signed Request=======
[Thu Mar 21 10:08:44 UTC 2024] url='https://acme.zerossl.com/v2/DV90/newAccount'
[Thu Mar 21 10:08:44 UTC 2024] payload='{"contact": ["mailto:myemail@gmail.com"], "termsOfServiceAgreed": true,"externalAccountBinding":{"protected":"eyJhbGciOiJIUzI1NiIsImtpZCI6InNLbEJuaG1qczZ6bS01UTcwQXVEVmciLCJ1cmwiOiJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdBY2NvdW50In0", "payload":"eyJjcnYiOiAiUC0yNTYiLCAia3R5IjogIkVDIiwgIngiOiAicXdrcTkzM2VyR3U5OXBIRTE1ZEJmckJHdmdYby1VM2NLYW9Ja0pBeko4RSIsICJ5IjogImRUUlhfZjkwRVR3Wi1IS0I0RjlyNTIyeEM0YkN3SXlQb2dldS1zMkJTUncifQ", "signature":""}}'
[Thu Mar 21 10:08:44 UTC 2024] Use cached jwk for file: /home/ubuntu/.acme.sh/ca/acme.zerossl.com/v2/DV90/account.key
[Thu Mar 21 10:08:44 UTC 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Thu Mar 21 10:08:44 UTC 2024] HEAD
[Thu Mar 21 10:08:44 UTC 2024] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Thu Mar 21 10:08:44 UTC 2024] body
[Thu Mar 21 10:08:44 UTC 2024] _postContentType='application/jose+json'
[Thu Mar 21 10:08:44 UTC 2024] _CURL='curl --silent --dump-header /home/ubuntu/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.ZH0lR9eu90  -g  -I  '
[Thu Mar 21 10:08:44 UTC 2024] _ret='0'
[Thu Mar 21 10:08:44 UTC 2024] _headers='HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Mar 2024 10:08:44 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Replay-Nonce: fcDyR3Ml7ZwIGsOriusKdFMasF6Lre8Mz1D-zcXFMWQ
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Link: <https://acme.zerossl.com/v2/DV90>;rel="index"
Strict-Transport-Security: max-age=15724800; includeSubDomains
'
[Thu Mar 21 10:08:44 UTC 2024] _CACHED_NONCE='fcDyR3Ml7ZwIGsOriusKdFMasF6Lre8Mz1D-zcXFMWQ'
[Thu Mar 21 10:08:44 UTC 2024] nonce='fcDyR3Ml7ZwIGsOriusKdFMasF6Lre8Mz1D-zcXFMWQ'
[Thu Mar 21 10:08:44 UTC 2024] POST
[Thu Mar 21 10:08:44 UTC 2024] _post_url='https://acme.zerossl.com/v2/DV90/newAccount'
[Thu Mar 21 10:08:44 UTC 2024] body='{"protected": "eyJub25jZSI6ICJmY0R5UjNNbDdad0lHc09yaXVzS2RGTWFzRjZMcmU4TXoxRC16Y1hGTVdRIiwgInVybCI6ICJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdBY2NvdW50IiwgImFsZyI6ICJFUzI1NiIsICJqd2siOiB7ImNydiI6ICJQLTI1NiIsICJrdHkiOiAiRUMiLCAieCI6ICJxd2txOTMzZXJHdTk5cEhFMTVkQmZyQkd2Z1hvLVUzY0thb0lrSkF6SjhFIiwgInkiOiAiZFRSWF9mOTBFVHdaLUhLQjRGOXI1MjJ4QzRiQ3dJeVBvZ2V1LXMyQlNSdyJ9fQ", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86YW5hc3Rhc2l5YW94ZW55dWtAZ21haWwuY29tIl0sICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUsImV4dGVybmFsQWNjb3VudEJpbmRpbmciOnsicHJvdGVjdGVkIjoiZXlKaGJHY2lPaUpJVXpJMU5pSXNJbXRwWkNJNkluTkxiRUp1YUcxcWN6WjZiUzAxVVRjd1FYVkVWbWNpTENKMWNtd2lPaUpvZEhSd2N6b3ZMMkZqYldVdWVtVnliM056YkM1amIyMHZkakl2UkZZNU1DOXVaWGRCWTJOdmRXNTBJbjAiLCAicGF5bG9hZCI6ImV5SmpjbllpT2lBaVVDMHlOVFlpTENBaWEzUjVJam9nSWtWRElpd2dJbmdpT2lBaWNYZHJjVGt6TTJWeVIzVTVPWEJJUlRFMVpFSm1ja0pIZG1kWWJ5MVZNMk5MWVc5SmEwcEJla280UlNJc0lDSjVJam9nSW1SVVVsaGZaamt3UlZSM1dpMUlTMEkwUmpseU5USXllRU0wWWtOM1NYbFFiMmRsZFMxek1rSlRVbmNpZlEiLCAic2lnbmF0dXJlIjoiIn19", "signature": "5FSx1HsWoyc-cnippADhCd4xahrNIHoQlo_ebNtSl2L8GhTmNTNsyUd5VER7bdlbY8b6uqEHBsO5pFuKjRWMzg"}'
[Thu Mar 21 10:08:44 UTC 2024] _postContentType='application/jose+json'
[Thu Mar 21 10:08:44 UTC 2024] Http already initialized.
[Thu Mar 21 10:08:44 UTC 2024] _CURL='curl --silent --dump-header /home/ubuntu/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.ZH0lR9eu90  -g '
[Thu Mar 21 10:08:45 UTC 2024] _ret='0'
[Thu Mar 21 10:08:45 UTC 2024] responseHeaders='HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 21 Mar 2024 10:08:45 GMT
Content-Type: application/problem+json
Content-Length: 132
Connection: keep-alive
Replay-Nonce: nBbOU3xo47IC1yZi76FWc22UbFcglFbDah-hWx5zW9A
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Link: <https://acme.zerossl.com/v2/DV90>;rel="index"
Strict-Transport-Security: max-age=15724800; includeSubDomains
'
[Thu Mar 21 10:08:45 UTC 2024] code='400'
[Thu Mar 21 10:08:45 UTC 2024] original='{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}'
[Thu Mar 21 10:08:45 UTC 2024] response='{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}'
[Thu Mar 21 10:08:45 UTC 2024] Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}

UPDATE:

I tried previous versions and I was able to register and issue without any problems on version 3.0.2 but in version 3.0.3 the problem arises.

UPDATE2:

I have found that the error starts to appear as of this commit in version 3.0.3

My Openssl version is 1.0.1 so when I do openssl base64 -d without the -A option during _dbase64 registration it returns an empty string

UPDATE3:

I think the problem is related to the fact that during registration a _dbase64 multi request is made, specifically with the multi option, which would imply that the base64 string to be decoded is a string with a character length of > 64 that is separated by line breaks, where each initial or intermediate line is of length == 64 and the last line being <=64. However, the base64 string to be decoded, the eab_hmac key that is automatically generated if none is stored or the one found in the web dashboard has a length greater than 64 characters and no line breaks separating it. Hence I understand that there is a bug and the multi option should not be passed, because although in openssl 1.1.1 and greater it works without problems, it fails for openssl 1.0.1.

@Neilpang coul I have your opinion?

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[annieoxe]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

In the logs of --debug 2 you can obviously see that it is the latest version.