stepman

Just to wrap this up, after two long nights I found out what the problem was by intercepting and tracing the registration flow. Apparently the Jetpack server doesn’t like multi-line headers. I have a Content-Security-Policy header that was broken into multiple lines for ease of administration:

Content-Security-Policy: default-src 'self' 'unsafe-inline' use.typekit.net *.stephanmantler.com stats.wp.com;
 img-src 'self' https://*.stepman.is https://*.stepman.is *.openstreetmap.org pixel.wp.com *.cdninstagram.com www.tripadvisor.com data:;
 font-src 'self' use.typekit.net *.wp.com fonts.gstatic.com static.tacdn.com *.bootstrapcdn.com data:;
 style-src 'self' *.typekit.net *.stephanmantler.com fonts.googleapis.com *.bootstrapcdn.com ajax.googleapis.com static.tacdn.com *.wp.com cdnjs.cloudflare.com 'unsafe-inline';
 script-src 'self' *.jscache.com www.tripadvisor.com *.stephanmantler.com maps.googleapis.com *.wp.com static.tacdn.com cdnjs.cloudflare.com code.jquery.com cdn.polyfill.io 'unsafe-inline' 'unsafe-eval' 

Which caused the failure.

I know this was playing a bit fast and loose with RFC 7230 but even the current CSP3 spec appears to use multi-line examples… and it has not been an issue on any other occasion, including the version of cURL I have installed here (I did, however, find a related issue for cURL 7.83).

In any case, changing the header header to a single line allows the registration flow to continue.

I am hosting this WP instance on my own server, and the nginx & php-fpm log files are not showing anything I can use to further diagnose the problem. I used Site Health to verify the checksums of the WP installation (which came back okay) but I will make a more thorough check against a fresh install with all plugins disabled & standard theme tonight.

It’s a Jetpack issue and looks like it will be fixed in the next release.