Pebble v2.3.0 released

I’m happy to share we’ve released Pebble v2.3.0 and uploaded corresponding Docker images and binary artifacts.

As a reminder Pebble is the Let’s Encrypt RFC 8555 ACME test server. Pebble is a smaller version of Boulder (our production ACME server) suitable for continuous integration and testing RFC 8555 compatibility.

I’d like to highlight the addition of external account binding (EAB) support in Pebble v2.3.0 as one of the more exciting features. I hope this addition will make it easier for ACME client developers to test compatibility with RFC 8555 compatible CAs that require EAB.

This release contains contributions from six community members: @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz. We’re very grateful for the continued engagement and support of the broader ACME community!


  • Added an ACME account “orders list” endpoint for finding order URLs associated with an account. See RFC 8555 §
  • Updated pebble-challtestsrv with an API for mocking DNS SERVFAIL responses for a hostname.
  • Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.


  • The pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
  • Changed PEBBLE_ALTERNATE_ROOTS intermediate certificates to have the same subject, matching the issuer of issued leaf certificate’s.
  • Fixed key rollover request handling for requests that fail inner JWS verification.
  • Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a badCSR type problem. See RFC 8555 §11.1.
  • Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
  • Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
  • Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. 443).


  • A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §
  • The Pebble ACME API and management API ports (14000 and 15000) are now marked exposed in Dockerfile metadata.
  • TLS 1.3 for Pebble’s validation requests is explicitly enabled by env var in the Docker environment.
  • The project and CI now use Go 1.13 and golangci-lint v1.21.0

New configuration options

  • The PEBBLE_WFE_ORDERS_PER_PAGE env var can be used to control the account orders list endpoint’s pagination. By default up to 15 order URLs are returned per response.
  • The "externalAccountBindingRequired" config file boolean field can be used to control whether all newAccount requests must use external account binding.
  • The "externalAccountMACKeys" config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See test/config/pebble-config-external-account-binding.json for an example.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.