ACME spec asks for empty JSON blob in challenge validation request

The ACME spec asks for an empty JSON body ({}) when making a POST request aimed at validating a challenge -> https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.5.1. However, certbot appears to be making a request with the following body
({
“resource”: “challenge”,
“type”: “http-01”
})

Is this a vestige from an older version of the acme spec? Should it be changed to sending an empty JSON body?

In the mean time, can I assume that receiving any body that isn’t empty is akin to a validation check request?

2 Likes

Yup, it’s a vestige and should probably be fixed. I thought that Certbot #6755 updated the acme module to just send {} but perhaps it only removed the keyAuthorization and left the remaining fields you’re seeing.

Could you open an issue on the Certbot repo about this so the Certbot devs see it?

That sounds reasonable. Boulder throws away the JSON body right now and acts the same way as what you’re proposing.

I think it would be a nice ecosystem bump if we updated Pebble in -strict to outright reject JSON bodies with non-standard fields in challenge POST requests. I’ll work on getting an issue filed for that. It already rejects POSTs that include the legacy keyAuthorization but it doesn’t go beyond that.

3 Likes
3 Likes

Thanks for the reply! Issue filed: https://github.com/certbot/certbot/issues/7171.

2 Likes