ACME v2 - Scheduled deprecation of unauthenticated resource GETs

Hello everyone,

Unfortunately we've missed this November 1st date for roll-out of mandatory POST-as-GET in the staging environment. In the future I'll make sure there are multiple people tracking upcoming announced API changes so that my own lapse in memory won't cause unexpected delays. Sorry about any inconvenience!

We're now planning to make this change active in the staging environment on Wednesday December 4th, 2019.

After Dec 4th unauthenticated HTTP GET requests to ACME v2 resource URLs will return HTTP status code of 405 "method not allowed" and a body containing a JSON problem with type "urn:ietf:params:acme:error:malformed". POST-as-GET requests authenticated by a signature from an account other than the creating account will return an HTTP status code of 403 "forbidden" and a body containing a JSON problem with type "urn:ietf:params:acme:error:unauthorized".

If you are a Certbot user and want to ensure you will not be affected by this change make sure sudo certbot renew --dry-run succeeds after Dec 4th. If it does not, follow the instructions at https://certbot.eff.org and update to the most recent version of Certbot offered for your OS.

4 Likes