ACME v2 - Scheduled deprecation of unauthenticated resource GETs


During a final round of review within the IETF the draft ACME protocol was updated to replace unauthenticated GET requests to resources (certificates, orders, authorizations and challenges) with an authenticated POST carrying a special empty JWS body (called a “POST-as-GET” request by the draft).

We have added support for the POST-as-GET construction for certificates, orders, authorizations and challenges to the ACME v2 API while simultaneously allowing legacy GET requests to these resources. Clients may begin sending POST-as-GET requests to the staging and production V2 API as of October 25th, 2018.

On November 1st, 2019 we will remove support for unauthenticated GETs from the V2 API, requiring client support for POST-as-GET. This will have no impact on the legacy V1 API which will remain unchanged.

In addition to the V2 staging API ACME client developers are encouraged to use the Pebble test server in -strict mode to test client POST-as-GET support. Please see the “GET and POST-as-GET Requests” section of the draft protocol for implementation information.

Any update on GETS -> POSTs conversation
ACME breaking change: Most GETs become POSTs

Edited the original post: optional POST-as-GET support is now available for both the staging and production V2 API.