KeyRollover not working when using Posh-ACME

[grindsa]

Set-PAAccount -KeyRollover returns an 401 error. Below the respective debugs

'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._lookup(jwk:{"crv": "P-256", "kty": "EC", "x": "9XnQgsPGdHblq18yhfYOyL0ScHIQrW4foz8HjB05XSE", "y": "bhQKarlY54Gl_HNfoaTVMGP_GHisN8cXN8sVLVa-7W4"})'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - DBStore.account_lookup(jwk:{"crv": "P-256", "kty": "EC", "x": "9XnQgsPGdHblq18yhfYOyL0ScHIQrW4foz8HjB05XSE", "y": "bhQKarlY54Gl_HNfoaTVMGP_GHisN8cXN8sVLVa-7W4"})'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._inner_jws_check()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._header_url_compare()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._header_url_compare() ended with: 200'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._inner_jws_check() ended with: 200:None'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._inner_payload_check()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._key_compare(vymCW0ohggei)'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - DBStore.jwk_load(vymCW0ohggei)'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._key_compare() ended with: 401'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._inner_payload_check() ended with: 401:wrong public key'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._key_change_validate() ended with: 401:wrong public key'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._key_rollover() ended with: 401'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account._key_change() ended with: 401'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Message.prepare_response()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Error.enrich_error()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Error.acme_errormessage(urn:ietf:params:acme:error:unauthorized)'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Nonce.nonce_generate_and_add()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Nonce.nonce__new()'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - got nonce: a624f9b716994e618b5f7bf341031bb0'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - DBStore.nonce_add(a624f9b716994e618b5f7bf341031bb0)'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Nonce.generate_and_add() ended with:a624f9b716994e618b5f7bf341031bb0'
'2023-06-18 16:34:05 - acme2certifier - DEBUG - Account.account_parse() returns: {"code": 401, "header": {"Replay-Nonce": "a624f9b716994e618b5f7bf341031bb0"}, "data": {"status": 401, "type": "urn:ietf:params:acme:error:unauthorized", "detail": "wrong public key"}}'
'2023-06-18 16:34:05 - acme2certifier - INFO - 192.168.14.1 /acme/key-change {'code': 401, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 401, 'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'wrong public key'}}'
Unauthorized: /acme/key-change
'2023-06-18 16:34:05 - acme2certifier - WARNING - Unauthorized: /acme/key-change'
192.168.14.1 - - [18/Jun/2023 16:34:05] "POST /acme/key-change HTTP/1.1" 401 -

[grindsa]

acme2certifier expects the "alg" attribute to be send as part of the oldkey parameter in inner_payload.

Below what is sent by Posh-ACME
oldkey:

{'crv': 'P-256',
 'kty': 'EC',
 'x': 'XwjGgwB0-3Ft9ZdegA0SaVvajxJoUyYcfF33z4yvbuY',
 'y': 'jr3JQsChyxkMLKP76FuhraHeO4tZFwt8oL_bEe3gLco'}

Below what is stored in database

{'alg': 'ES256',
 'crv': 'P-256',
 'kty': 'EC',
 'x': 'XwjGgwB0-3Ft9ZdegA0SaVvajxJoUyYcfF33z4yvbuY',
 'y': 'jr3JQsChyxkMLKP76FuhraHeO4tZFwt8oL_bEe3gLco'}

Key-Rollover works when using LE_STAGING, thus I assume an incorrect behaviour in a2c and will workaround it there...

[grindsa]

Fix got included in v0.28