Skip to content

x/crypto/acme: client is not reporting account retrieve error and sends JWK in the protected headers to endpoints which expect KID #76345

New issue
New issue
Open
Open
x/crypto/acme: client is not reporting account retrieve error and sends JWK in the protected headers to endpoints which expect KID#76345
Labels
BugReportIssues describing a possible bug in the Go implementation.NeedsFixThe path to resolution is known, but the work has not been done.
Milestone
Unreleased
@fangpenlin

Description

@fangpenlin
fangpenlin
opened on Nov 18, 2025

Go version

go version go1.25.2 darwin/arm64

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE='on'
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/fangpenlin/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/fangpenlin/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/wc/g97rf4092_z9wqbp93djvnt00000gn/T/go-build4293327432=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/fangpenlin/workspace/playground/cert-manager/go.mod'
GOMODCACHE='/Users/fangpenlin/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/fangpenlin/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/fangpenlin/sdk/go1.25.2'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/fangpenlin/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/fangpenlin/sdk/go1.25.2/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.2'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

Run cert-manager in a Kubernetes cluster to issue certificate from Infisical ACME server .

What did you see happen?

Encountered KID not present in the protected header error, and JWK is provided instead:

{
      "type": "AcmeMalformedError",
      "message": "KID is required in the protected header"
}

What did you expect to see?

The ACME client should not silently discard the retrieving account error and send JWK to endpoints which expects KID when the KID value is not available.

We reported our finding in the downstream cert-manager repo:

cert-manager/cert-manager#7388 (comment)

We have opened a PR for fixing the issue in the forked ACME client in cert-manager:

cert-manager/cert-manager#8262

As the source of problem is coming from the ACME library, so we are also reporting it here, and I will create a PR for addressing the issue shortly.

To add more on top of the issue, here's how it work:

  1. the accountKid discards error while retrieving account Kid when it's not available yet:
    https://github.com/golang/crypto/blob/2df4153a0311bdfea44376e0eb6ef2faefb0275b/acme/acme.go#L151-L154

  2. the jwsEncodeJSON method provides jwk in the protected header as the kid is not available even for endpoints expecting kid:
    https://github.com/golang/crypto/blob/2df4153a0311bdfea44376e0eb6ef2faefb0275b/acme/jws.go#L82-L87

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.NeedsFixThe path to resolution is known, but the work has not been done.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions