ACME v1 endpoints giving 400?

I did some digging and found out why some clients/subscribers began seeing 400 messages after the CDN swap.

The HTTP/1.1 RFC RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content and by association the HTTP/2 RFC RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2) states

HTTP was originally designed to be usable as an interface to
distributed object systems. The request method was envisioned as
applying semantics to a target resource in much the same way as
invoking a defined method on an identified object would apply
semantics. The method token is case-sensitive because it might be
used as a gateway to object-based systems with case-sensitive method
names.

A side-effect of the API CDN switch from Akamai to CloudFlare is that Akamai can no longer rewrite the request methods from lowercase to uppercase. I've not found explicit documentation that Akamai was doing that, but given your report I feel like there's a pretty good chance that it was happening. Our loadbalancer should be properly following these RFCs and rejecting the lowercase methods post, get, head, etc per https://github.com/nginx/nginx/blob/master/src/http/ngx_http_core_module.c#L4329-L4345.

2 Likes