recently finished development of an Java based ACME server and found one obvious bug (even in the latest version) and one controversial “feature”.
The bug is located in certbot/acme/acme/client.py at line 497:
content_type = DER_CONTENT_TYPE # TODO: make it a param
The problem is that ContentType is bound to request and should be ‘application/jose+json’ and not ‘application/pkix-cert’ as defined at line 45 in the same file.
I understand that boulder may ignore ContentType, but correct server implementation should obey the value in this attribute. Accept header tells what client accepts as a response and server can ignore it (by ACME spec)
Controversial feature is decision to drop CN in CSR subject. Even though (in theory) everything but signature is optional in CSR and that Chrome and other browser ignores CN, use of the CN is security feature in enterprise environments. Since having CN in CSR Subject attribute doesn’t harm but widen possible acceptance of the ACME in enterprises, I really don’t see the problem having it back, something like:
csr.get_subject().CN = domains (after the line 179 in certbot/acme/acme/crypto_util.py)
Just my five cents