amphtml: update cache return . 403

Hi all

 I had read the "https://developers.google.com/amp/cache/update-cache" and follow the example  verify the data ok

vocka@lalacube:/tmp$ . openssl dgst -sha256 -signature signature2.bin -verify public-key.pem url.txt . Verified OK

Step 1. check the public key

https://blog.lalacube.com/.well-known/amphtml/apikey.pub <- can read the data.
my sample code ` php function urlsafe_b64encode($string) { $data = base64_encode($string); $data = str_replace(array(‘+’,‘/’,‘=’),array(‘-’,‘_’,‘’),$data); return $data; } $timestamp=time(); $ampBaseUrl = “https://blog-lalacube-com.cdn.ampproject.org”; //https://blog-lalacube-com.cdn.ampproject.org/c/s/blog.lalacube.com/mei/yahoo_auction_amp.html $signatureUrl = ‘/update-cache/c/s/blog.lalacube.com/mei/yahoo_auction_amp.html?amp_action=flush&amp_ts=’.$timestamp; // opening the private key

$pkeyid = openssl_pkey_get_private(“file://private-key.pem”); // generating the signature openssl_sign($signatureUrl, $signature, $pkeyid, OPENSSL_ALGO_SHA256); openssl_free_key($pkeyid);

$signature = urlsafe_b64encode($signature); // final url for updating $ampUrl = $ampBaseUrl.$signatureUrl.“&amp_url_signature=”.$signature; echo $ampUrl.“\n”; `

example : https://blog-lalacube-com.cdn.ampproject.org/update-cache/c/s/blog.lalacube.com/mei/yahoo_auction_amp.html?amp_action=flush&amp_ts=1506496391&amp_url_signature=hYTPVcaUtEWvg0zPEs-DsDDyeWdjz1RirZLFiFkyeG4-0HFbS7PHBqoREHgZpv60xB3hWXLwTr5b0FHcgOYLIK6_Z48nbMvkY3At7FL0dACIKAaovOxCSigbNJ9xt89gRCYzeg10ub-VM7JDxxazOwuu6lR0UB9BMcRn1-aLcbcX56VSqtmG1c84hpvIIfGnMlpp9O9PRB1Ps55RDRR6pVRrBMldL6FS8YtqQbTFohebL_nPFTLs1_Q5hmQMboPSGmewCcZ4YvtLb6jnw_g60mhU352JV6lyy1QwOmo55WY9QHT9wsC-Co7SnhJJVkBoQDGGBIxY3t8NkaGPnq4QMA

step curl ‘https://blog-lalacube-com.cdn.ampproject.org/update-cache/c/s/blog.lalacube.com/mei/yahoo_auction_amp.html?amp_action=flush&amp_ts=1506496391&amp_url_signature=hYTPVcaUtEWvg0zPEs-DsDDyeWdjz1RirZLFiFkyeG4-0HFbS7PHBqoREHgZpv60xB3hWXLwTr5b0FHcgOYLIK6_Z48nbMvkY3At7FL0dACIKAaovOxCSigbNJ9xt89gRCYzeg10ub-VM7JDxxazOwuu6lR0UB9BMcRn1-aLcbcX56VSqtmG1c84hpvIIfGnMlpp9O9PRB1Ps55RDRR6pVRrBMldL6FS8YtqQbTFohebL_nPFTLs1_Q5hmQMboPSGmewCcZ4YvtLb6jnw_g60mhU352JV6lyy1QwOmo55WY9QHT9wsC-Co7SnhJJVkBoQDGGBIxY3t8NkaGPnq4QMA’ result is . Error 403 (Forbidden)

I found the https://stackoverflow.com/questions/46176405/amp-update-cache-request-returns-403 , it’s similar.

So how can i debug ? thank Vocka

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 51 (14 by maintainers)

Most upvoted comments

I have published a composer package for clearing AMP cache

https://packagist.org/packages/ennexa/amp-update-cache

JoyceBabu on Apr 25, 2018

I have published a composer package for clearing AMP cache

https://packagist.org/packages/ennexa/amp-update-cache

this worked for me. got it up and running relatively quickly despite never having used php

davidfloyd91 on Apr 13, 2021

I had the same issue. my problem was:

I used phpseclib\Crypt\RSA, and it wasn’t signing it in a way that was expected apparently. once I switched to openssl php library, and used OPENSSL_ALGO_SHA256 in openssl_sign(), it finally worked!
also, I was only replacing + and / for web-safe encoding. After reading comments, I added = to it as well, so it looks like this: $encoded_signature = str_replace([‘+’,‘/’,‘=’],[‘-’,‘_’,‘’], base64_encode($signature));
I made sure that I have a leading / in the url request that I sign (the one before update-cache).

Hope that helps!

obeyer on Apr 13, 2018

Sorry to keep you waiting, @JoyceBabu :

The error reported by AMP Cache in the 404 page is “URL signature verification error.”
The cached key matches your key:
- https://www-prokerala-com.cdn.ampproject.org/r/s/www.prokerala.com/.well-known/amphtml/apikey.pub
- https://www.prokerala.com/.well-known/amphtml/apikey.pub
This is the exact string that should have been signed (note the %3f in the middle):
- /update-cache/c/www.prokerala.com/astrology/horoscope/%3fsign=leo&amp=1?amp_action=flush&amp_ts=1512564684

If this doesn’t help, please share the code you used to produce the signed url.

codewiz on Dec 20, 2017

First of all, I determined that AMP Cache does not handle HTTP refresh correctly for update-cache verification keys: if you issue an update-cache request and then swap /.well-known/amphtml/apikey.pub with a different key, we keep using the old key material indefinitely. To make things worse, 404 responses are also cached forever 😦

I filed an internal bug report, but it might take some time for the fix to roll out to production. Meanwhile, I can flush invalid keys manually. Just send me a private message either on GitHub or on amphtml.slack.com. Apologies for not discovering this sooner.

Specifically for @advgiarc: the code at https://dpaste.de/27OM should include the leading “/” in sign_url. Everything else looks correct to me.

codewiz on Oct 10, 2017