Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement optional POST-as-GET support #3871

Closed
cpu opened this issue Sep 25, 2018 · 4 comments
Closed

Implement optional POST-as-GET support #3871

cpu opened this issue Sep 25, 2018 · 4 comments

Comments

@cpu
Copy link
Contributor

@cpu cpu commented Sep 25, 2018

The draft ACME protocol has removed unauthenticated GET requests to order, authorization, and challenge resources. Because this is not a backwards compatible change we're intending to roll out support gradually before removing support for GETs to these resources entirely.

We need to:

  • Update wfe2/verify.go with support for verifying POST-as-GET requests
  • Add optional support for POST-as-GET to orders
  • Add optional support for POST-as-GET to authorizations
  • Add optional support for POST-as-GET to challenges
  • Add optional support for POST-as-GET to order certificate URLs
  • Add optional support for POST-as-GET to accounts

On November 1st, 2019 we will remove support for GET requests to orders, authorizations and challenges making POST-as-GET mandatory. When we do this we'll need to take care that you can't access any V2 resources via the V1 endpoint.

Client developers that want a head-start testing their clients against this change are encouraged to use Pebble, which has already implemented the change for -strict mode.

@felixfontein
Copy link
Contributor

@felixfontein felixfontein commented Oct 6, 2018

I think this list is missing POST-as-GET for account resources (similar to letsencrypt/pebble#171).

@cpu
Copy link
Contributor Author

@cpu cpu commented Oct 9, 2018

@felixfontein Right as usual! Thanks! I updated the issue description.

@rmbolger
Copy link

@rmbolger rmbolger commented Oct 11, 2018

Do I assume correctly that the account change from {} to POST-as-GET will also be mandatory on the Nov. 1st, 2019 cutoff? But until then, it will support both?

@cpu
Copy link
Contributor Author

@cpu cpu commented Oct 11, 2018

@rmbolger Yes, I think that makes the most sense.

@cpu cpu closed this in #3883 Oct 22, 2018
cpu added a commit that referenced this issue Oct 22, 2018
This allows POST-as-GET requests to Orders, Authorizations, Challenges, Certificates and Accounts. Legacy GET support remains for Orders, Authorizations, Challenges and Certificates. Legacy "POST {}" support for Accounts remains.

Resolves #3871
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.