/boulder

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement optional POST-as-GET support #3871

Closed
cpu opened this Issue Sep 25, 2018 · 4 comments

Comments

Assignees

@cpu cpu

Labels
Projects
None yet
Milestone
  Sprint 2018-10-16
4 participants
@cpu @felixfontein @rmbolger @jsha
@cpu
Member

cpu commented Sep 25, 2018
edited

The draft ACME protocol has removed unauthenticated GET requests to order, authorization, and challenge resources. Because this is not a backwards compatible change we're intending to roll out support gradually before removing support for GETs to these resources entirely.

We need to:

  • Update wfe2/verify.go with support for verifying POST-as-GET requests
  • Add optional support for POST-as-GET to orders
  • Add optional support for POST-as-GET to authorizations
  • Add optional support for POST-as-GET to challenges
  • Add optional support for POST-as-GET to order certificate URLs
  • Add optional support for POST-as-GET to accounts

On November 1st, 2019 we will remove support for GET requests to orders, authorizations and challenges making POST-as-GET mandatory. When we do this we'll need to take care that you can't access any V2 resources via the V1 endpoint.

Client developers that want a head-start testing their clients against this change are encouraged to use Pebble, which has already implemented the change for -strict mode.

@cpu cpu added layer/api kind/feature area/wfe kind/spec-compliance labels Sep 25, 2018

@jsha jsha added this to the Sprint 2018-09-25 milestone Sep 25, 2018

@jsha jsha assigned cpu Sep 25, 2018

@felixfontein

This comment has been minimized.

Sign in to view
Contributor

felixfontein commented Oct 6, 2018

I think this list is missing POST-as-GET for account resources (similar to letsencrypt/pebble#171).
@cpu

This comment has been minimized.

Sign in to view
Member

cpu commented Oct 9, 2018

@felixfontein Right as usual! Thanks! I updated the issue description.

@jsha jsha modified the milestones: Sprint 2018-09-25, Sprint 2018-10-09 Oct 9, 2018

@rmbolger

This comment has been minimized.

Sign in to view

rmbolger commented Oct 11, 2018

Do I assume correctly that the account change from {} to POST-as-GET will also be mandatory on the Nov. 1st, 2019 cutoff? But until then, it will support both?
@cpu

This comment has been minimized.

Sign in to view
Member

cpu commented Oct 11, 2018

@rmbolger Yes, I think that makes the most sense.

@cpu cpu referenced this issue Oct 11, 2018

Merged

ACME v2: Optional POST-as-GET support. #3883

@jsha jsha modified the milestones: Sprint 2018-10-09, Sprint 2018-10-16 Oct 16, 2018

@lukas2511 lukas2511 referenced this issue Oct 20, 2018

Open

Dropping old ACMEv1 Support? #510

@cpu cpu closed this in #3883 Oct 22, 2018

cpu added a commit that referenced this issue Oct 22, 2018

@cpu
ACME v2: Optional POST-as-GET support. (#3883) 
This allows POST-as-GET requests to Orders, Authorizations, Challenges, Certificates and Accounts. Legacy GET support remains for Orders, Authorizations, Challenges and Certificates. Legacy "POST {}" support for Accounts remains.

Resolves #3871
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
1398377
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment