During a final round of review within the IETF before the creation of RFC 8555 the draft ACME protocol was updated to replace unauthenticated GET requests to resources (certificates, orders, authorizations and challenges) with an authenticated POST carrying a special empty JWS body (called a “POST-as-GET” request by RFC 8555).
We have added support for the POST-as-GET construction for certificates, orders, authorizations and challenges to the ACME v2 API while simultaneously allowing legacy GET requests to these resources. Clients may begin sending POST-as-GET requests to the staging and production V2 API as of October 25th, 2018.
November 1st, 2019 December 4th, 2019 we will remove support for unauthenticated GETs from the staging V2 API, requiring client support for POST-as-GET.
On November 1st, 2020 we will remove support for unauthenticated GETs from the production V2 API.
ACME v2 Clients that do not have support for POST-as-GET will not be able to issue or renew certificates in the staging and production environments after the above deprecation dates.
In addition to the V2 staging API ACME client developers are encouraged to use the Pebble test server version 2.x.x or later to test client POST-as-GET support. Please see the “GET and POST-as-GET Requests” section of RFC 8555 for more information.