Hi,
I'm trying to create a new cert using the Azure plugin and getting "Invalid algorithm specified" exception, after some troubleshooting found the problem seems to be signing the message to authenticate with Azure, here is the debug output using the Publish-Challenge command to test the plugin:
PS C:\Users\user> Publish-Challenge example.com (Get-PAAccount) faketoken Azure $pArgs -Verbose
VERBOSE: Publishing challenge for Domain example.com with Token faketoken using Plugin Azure and DnsAlias ''.
DEBUG: Loading PAAccount list from disk
DEBUG: Calling Azure plugin to add _acme-challenge.example.com TXT with value KQiek8ndRMS_aANyU6Y8lykmBIr5H0wMG8BoOfzX42I
DEBUG: Checking for cert thumbprint XXXX26B6C2D22B805D569A231F0D48970999DD4F in CurrentUser store.
DEBUG: Private key is type System.Security.Cryptography.RSACryptoServiceProvider
VERBOSE: Authenticating with certificate based credential
DEBUG: ACME Header:
{
"x5t": "SDgmtsLSK4BdVppAzw1IlwmZ3Ss",
"typ": "JWT",
"alg": "RS256"
}
DEBUG: ACME Payload:
{"exp":"1754630587","sub":"2763d407-ef85-4100-8224-XXXXXXXXXXXX","iss":"2763d407-ef85-4100-8224-XXXXXXXXXXXX","jti":"dd4459ce-fe69-44d0-8a35-XXXXXXXXXXXX","aud":"https://login.microsoftonline.com/0742e223-869
3-48ac-8415-XXXXXXXXXXXX/oauth2/token","nbf":"1754626987"}
DEBUG: Signing message using RSA with SHA256
New-Jws : Exception calling "SignData" with "3" argument(s): "Invalid algorithm specified.
"
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.29.3\Plugins\Azure.ps1:677 char:20
- ... $jwt = New-Jws $privKey $jwtHead $payload -Compact -NoHeaderVali ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : NotSpecified: (:) [New-Jws], MethodInvocationException
- FullyQualifiedErrorId : CryptographicException,New-Jws
I could not find any reference of this error anywhere. Is this a problem with the specific certificate used or the way it is stored? I saw a warning message in the plugin documentation about having the certificate stored using CSP and not KSP, using certutil to pull the certificate details I can see the provider use for the certificate in question is "Microsoft Strong Cryptographic Provider", but I have no clue if this is the good or bad one...
Hi,
I'm trying to create a new cert using the Azure plugin and getting "Invalid algorithm specified" exception, after some troubleshooting found the problem seems to be signing the message to authenticate with Azure, here is the debug output using the Publish-Challenge command to test the plugin:
PS C:\Users\user> Publish-Challenge example.com (Get-PAAccount) faketoken Azure $pArgs -Verbose
VERBOSE: Publishing challenge for Domain example.com with Token faketoken using Plugin Azure and DnsAlias ''.
DEBUG: Loading PAAccount list from disk
DEBUG: Calling Azure plugin to add _acme-challenge.example.com TXT with value KQiek8ndRMS_aANyU6Y8lykmBIr5H0wMG8BoOfzX42I
DEBUG: Checking for cert thumbprint XXXX26B6C2D22B805D569A231F0D48970999DD4F in CurrentUser store.
DEBUG: Private key is type System.Security.Cryptography.RSACryptoServiceProvider
VERBOSE: Authenticating with certificate based credential
DEBUG: ACME Header:
{
"x5t": "SDgmtsLSK4BdVppAzw1IlwmZ3Ss",
"typ": "JWT",
"alg": "RS256"
}
DEBUG: ACME Payload:
{"exp":"1754630587","sub":"2763d407-ef85-4100-8224-XXXXXXXXXXXX","iss":"2763d407-ef85-4100-8224-XXXXXXXXXXXX","jti":"dd4459ce-fe69-44d0-8a35-XXXXXXXXXXXX","aud":"https://login.microsoftonline.com/0742e223-869
3-48ac-8415-XXXXXXXXXXXX/oauth2/token","nbf":"1754626987"}
DEBUG: Signing message using RSA with SHA256
New-Jws : Exception calling "SignData" with "3" argument(s): "Invalid algorithm specified.
"
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.29.3\Plugins\Azure.ps1:677 char:20
I could not find any reference of this error anywhere. Is this a problem with the specific certificate used or the way it is stored? I saw a warning message in the plugin documentation about having the certificate stored using CSP and not KSP, using certutil to pull the certificate details I can see the provider use for the certificate in question is "Microsoft Strong Cryptographic Provider", but I have no clue if this is the good or bad one...