Boulder divergences from ACME
While Boulder attempts to implement the ACME specification (RFC 8555) as strictly as possible there are places at which we will diverge from the letter of the specification for various reasons. This document describes the difference between RFC 8555 and Boulder's implementation of ACME, informally called ACMEv2 and available at https://acme-v02.api.letsencrypt.org/directory. A listing of RFC conformant design decisions that may differ from other ACME servers is listed in implementation_details.
Presently, Boulder diverges from the RFC 8555 ACME spec in the following ways:
Boulder supports POST-as-GET but does not mandate it for requests that simply fetch a resource (certificate, order, authorization, or challenge).
For all rate-limits, Boulder includes a
Link header to additional documentation on rate-limiting. Only rate-limits on
duplicate certificates and
certificates per registered domain are accompanied by a
Boulder does not supply the
orders field on account objects. We intend to
support this non-essential feature in the future. Please follow Boulder Issue
Boulder does not accept the optional
notAfter fields of a
newOrder request paylod.
Pre-authorization is an optional feature and we have no plans to implement it. V2 clients should use order based issuance without pre-authorization.
Boulder does not process
Accept headers for
Content-Type negotiation when retrieving certificates.
Boulder does not implement the ability to retry challenges or the