'url' key in HTTP POST JSON



I’m writing my own ACME client. An example request’s plaintext before JSON and Base64 encoding and signing might look like this (Perl hash, with redactions):

$VAR1 = {
  "payload" => {
    "agreement" => "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
    "resource" => "new-reg"
  "protected" => {
    "alg" => "ES384",
    "jwk" => {
      "crv" => "P-384",
      "kty" => "EC",
      "x" => "[...]",
      "y" => "[...]"
    "nonce" => "[...]",
    "url" => undef

Note how I intentionally left the ‘url’ key undefined, which causes it to be missing entirely after JSON encoding. My question is the following:

Why does that still work and what is the purpose of that key anyway? It seems like a layer violation to include the URL inside the body of a request to that very same URL.

I will most likely change my code to set that key according to the spec, but I’m curious as to its purpose.



The URL being part of the signed payload ensures that the whole request is mutually authenticated. This was added after a researcher analyzed a formal model of ACME. See this thread for more details (specifically “Issue 1”).


So LE ignoring that key is… a bug, intentional, something else?


That’s probably due to boulder implementing (a variant of) the acme-01 draft (with some backwards-compatible divergences). url was added in acme-03.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.