ACME v1/v2 - Changing "Challenges" returned for invalid/valid authorizations

On January 2nd, 2020 we will be enabling a change in our production ACME v1 and v2 environment that will alter how the “challenges” field of authorization resources are returned to better match RFC 8555.

After Jan 2nd we will be returning the “challenges” field of authorization resources based on the description in RFC 8555 Section 7.1.4:

For pending authorizations, the challenges that the client can fulfill in order to prove possession of the identifier. For valid authorizations, the challenge that was validated. For invalid authorizations, the challenge that was attempted and failed.

Prior to this change the Let’s Encrypt’s ACME v1 and v2 APIs returned a full list of challenges for valid and invalid authorizations, not just the challenge that was validated or attempted and failed.

This change should have no effect on RFC 8555 compliant ACME clients. If you want to test this change will not affect your client ahead of Jan 2nd you can use the Staging Environment or Pebble. Both of these environments already use the correct behaviour when returning the “challenges” field of an authorization.

Thank you,

8 Likes

This change is now enabled in production.

4 Likes

Quick update: I mistakenly wrote this API announcement as being specific to ACME v2. This was an oversight and the change did apply to the deprecated ACME v1 API as well. The announcement text/title is now updated to reflect this. Apologies for any confusion.

4 Likes