New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement optional POST-as-GET support #3871

Closed
cpu opened this Issue Sep 25, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@cpu
Member

cpu commented Sep 25, 2018

The draft ACME protocol has removed unauthenticated GET requests to order, authorization, and challenge resources. Because this is not a backwards compatible change we're intending to roll out support gradually before removing support for GETs to these resources entirely.

We need to:

  • Update wfe2/verify.go with support for verifying POST-as-GET requests
  • Add optional support for POST-as-GET to orders
  • Add optional support for POST-as-GET to authorizations
  • Add optional support for POST-as-GET to challenges
  • Add optional support for POST-as-GET to order certificate URLs
  • Add optional support for POST-as-GET to accounts

On November 1st, 2019 we will remove support for GET requests to orders, authorizations and challenges making POST-as-GET mandatory. When we do this we'll need to take care that you can't access any V2 resources via the V1 endpoint.

Client developers that want a head-start testing their clients against this change are encouraged to use Pebble, which has already implemented the change for -strict mode.

@felixfontein

This comment has been minimized.

Contributor

felixfontein commented Oct 6, 2018

I think this list is missing POST-as-GET for account resources (similar to letsencrypt/pebble#171).

@cpu

This comment has been minimized.

Member

cpu commented Oct 9, 2018

@felixfontein Right as usual! Thanks! I updated the issue description.

@rmbolger

This comment has been minimized.

rmbolger commented Oct 11, 2018

Do I assume correctly that the account change from {} to POST-as-GET will also be mandatory on the Nov. 1st, 2019 cutoff? But until then, it will support both?

@cpu

This comment has been minimized.

Member

cpu commented Oct 11, 2018

@rmbolger Yes, I think that makes the most sense.

@cpu cpu closed this in #3883 Oct 22, 2018

cpu added a commit that referenced this issue Oct 22, 2018

ACME v2: Optional POST-as-GET support. (#3883)
This allows POST-as-GET requests to Orders, Authorizations, Challenges, Certificates and Accounts. Legacy GET support remains for Orders, Authorizations, Challenges and Certificates. Legacy "POST {}" support for Accounts remains.

Resolves #3871
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment