ACME v2 - Change to HTTP Status Code for HEAD new-nonce


#1

Summary

The ACME draft specification says successful HTTP HEAD requests to the new-nonce endpoint should return HTTP status code 200 (OK). Let’s Encrypt’s ACME v2 API has been incorrectly returning HTTP status code 204 (no content) for successful HEAD requests. We will be changing the ACME v2 staging API to fix this on Wednesday January 16th (Edit: This is now live in staging) and proceeding to the ACME v2 production API on Thursday January 24th (Edit: This is now live in production as well). GET requests to the new-nonce endpoint will continue to return HTTP Status 204 per the specification.

Background

Section 7.2, “Getting a Nonce”, of the current protocol draft (draft-ietf-acme-acme-18 at the time of writing) describes two HTTP status codes that may be returned to clients that make successful requests to the new-nonce endpoint:

  1. HTTP Status 204 (no content) for successful GET requests
  2. HTTP Status 200 (OK) for successful HEAD requests

Let’s Encrypt has been mistakenly returning status 204 for all successful requests, regardless of whether they were using HTTP method GET or HEAD.

Affected clients

If your ACME client is ACME v2 compatible, uses HEAD requests to the new-nonce endpoint to get nonces, and is programmed to expect a HTTP status 204 response as an indicator of success you may have difficulty issuing or renewing certificates after January 17th. You can test your client and any required fixes ahead of the staging and production API changes by using the Pebble ACME test server in -strict mode. Please ensure you’re using a Pebble clone with the fix (2132a88).

Thanks!


Unable to generate cert on Staging... Rate limit?
New nonce api return nothing
JWS has invalid anti-replay nonce. Status 400
Where can I find automated cert request/retrieval requirements?
No 204 Code on Nonce Check
#2

Edit: I mistakenly indicated the production change would be on Jan 17th, not Jan 24th. This has been corrected in the original post.


#3

I’ve edited the original post to reflect that this change is now live in production.