I’m happy to share we’ve released Pebble v2.3.0 and uploaded corresponding Docker images and binary artifacts.
As a reminder Pebble is the Let’s Encrypt RFC 8555 ACME test server. Pebble is a smaller version of Boulder (our production ACME server) suitable for continuous integration and testing RFC 8555 compatibility.
I’d like to highlight the addition of external account binding (EAB) support in Pebble v2.3.0 as one of the more exciting features. I hope this addition will make it easier for ACME client developers to test compatibility with RFC 8555 compatible CAs that require EAB.
This release contains contributions from six community members:
@munnerz. We’re very grateful for the continued engagement and support of the broader ACME community!
- Added an ACME account “orders list” endpoint for finding order URLs associated with an account. See RFC 8555 §126.96.36.199.
- Updated pebble-challtestsrv with an API for mocking DNS
SERVFAILresponses for a hostname.
- Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.
pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
PEBBLE_ALTERNATE_ROOTSintermediate certificates to have the same subject, matching the issuer of issued leaf certificate’s.
- Fixed key rollover request handling for requests that fail inner JWS verification.
- Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a
badCSRtype problem. See RFC 8555 §11.1.
- Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
- Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
- Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g.
- A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §188.8.131.52.
- The Pebble ACME API and management API ports (
15000) are now marked exposed in Dockerfile metadata.
- TLS 1.3 for Pebble’s validation requests is explicitly enabled by env var in the Docker environment.
- The project and CI now use Go 1.13 and
New configuration options
PEBBLE_WFE_ORDERS_PER_PAGEenv var can be used to control the account orders list endpoint’s pagination. By default up to 15 order URLs are returned per response.
"externalAccountBindingRequired"config file boolean field can be used to control whether all
newAccountrequests must use external account binding.
"externalAccountMACKeys"config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See
test/config/pebble-config-external-account-binding.jsonfor an example.