ACME Protocol clarification


#1

Hej, im implementing acme support for a CA and i would like to know which are the supported version of acme by certbot and maybe other clients… draft-ietf-acme-acme-01 or higher and if you have plans to upgrade to new versions of the draft shortly (next year).

Thanks!


#2

Great to hear from CAs interested in implementing ACME! :tada:

Just about all client implementations currently target the acme-01 draft. Boulder, the CA software behind Let’s Encrypt, likely will stick with that version of ACME until the IETF finishes the standardization process (though there are a few backwards-compatible things from later drafts that are supported by boulder).

I’d say if your plan is to be compatible with most ACME clients for the next 12 months or so, acme-01 should be your target, though my guess would be that most clients will track Let’s Encrypt and switch to the new version of the protocol once Let’s Encrypt offers it, so you might have to follow suit.


#3

awesome, thanks for the direction


#4

from:
https://acme-v01.api.letsencrypt.org/directory
{
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}

from: https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.2

{
“new-reg”: “https://example.com/acme/new-reg”,
“recover-reg”: “https://example.com/acme/recover-reg”,
“new-authz”: “https://example.com/acme/new-authz”,
“new-cert”: “https://example.com/acme/new-cert”,
“revoke-cert”: “https://example.com/acme/revoke-cert
}

seems “recover-reg” is not implemented or maybe im looking at the wrong url for the version 1 of the protocol??


#5

The best way to think about Boulder’s ACME support is to look at the most current ACME draft (draft-04) and point out the places where Boulder is doing something different (generally in these few cases we’re closer to draft-02).

We try our best to keep these divergences catalogued in the Boulder repo. The specification is very much a living document right now :slight_smile:

For this specific case you’ll see that draft-04 doesn’t specify the recover-reg endpoint, and we do not implement it.


#6

Hallo, do you have a an irc channel for boulder dev support were i can pop some questions about acme and the current implementation??


#7

There’s no Boulder specific channel. Folks from both Certbot and Boulder make a best-effort to watch #letsencrypt-dev on Freenode. Feel free to drop by!

If you’re from an existing CA implementing ACME I would also be happy to start an email thread with the Boulder team to do some introductions and make sure you have the resources you need :slight_smile: You can reach me at cpu at letsencrypt.org


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.