Why doesnt account response have orders url

daigu · September 27, 2021, 7:46am

rfc8555 states orders url is required in account object. i did not see it in the response from
my new-acct request. am i missing something.

Osiris · September 27, 2021, 10:49am

Where does it state that? I can't find it in the section about accounts (7.3).

petercooperjr · September 27, 2021, 11:04am

This is one of the documented divergences from the spec:

github.com

letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-712

# Boulder divergences from ACME

While Boulder attempts to implement the ACME specification ([RFC 8555]) as strictly as possible there are places at which we will diverge from the letter of the specification for various reasons. This document describes the difference between RFC 8555 and Boulder's implementation of ACME, informally called ACMEv2 and available at https://acme-v02.api.letsencrypt.org/directory. Boulder's implementation of ACMEv1 differs substantially from the final RFC. Documentation for Boulder's ACMEv1 support is available in [acme-divergences-v1.md](acme-divergences-v1.md). A listing of RFC conformant design decisions that may differ from other ACME servers is listed in [implementation_details](https://github.com/letsencrypt/boulder/blob/main/docs/acme-implementation_details.md).


Presently, Boulder diverges from the RFC 8555 ACME spec in the following ways:

## [Section 6.3](https://tools.ietf.org/html/rfc8555#section-6.3)

We support POST-as-GET but do not yet mandate it. We
[plan to mandate](https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380)
POST-as-GET for all ACMEv2 requests in November 2020.

## [Section 6.6](https://tools.ietf.org/html/rfc8555#section-6.6)

Boulder does not provide a `Retry-After` header when a user hits a rate-limit, nor does it provide `Link` headers to further documentation on rate-limiting.

## [Section 6.7](https://tools.ietf.org/html/rfc8555#section-6.7)

Boulder uses `invalidEmail` in place of the error `invalidContact`.

This file has been truncated. show original

Boulder does not supply the orders field on account objects. We intend to support this non-essential feature in the future. Please follow Boulder Issue #3335.

Nummer378 · September 27, 2021, 12:51pm

It is stated in section 7.1.2:

 orders (required, string):  A URL from which a list of orders
      submitted by this account can be fetched [...]

Going by spec it really is a requirement, but LE has never bothered enough to implement it. Maybe some day.

jvanasco · September 27, 2021, 2:10pm

Just adding to this comment: LetsEncrypt does not fully implement the ACME RFC. The divergences are a mix of slightly intentional changes, and developing essential features first while roadmapping the rest. There is also an Implementation Details page, that shows the decisions LetsEncrypt made when the RFC gave some flexibility.

Support for AcmeOrders is been roadmapped since 2018 in ACMEv2: "orders" field missing in account info · Issue #3335 · letsencrypt/boulder · GitHub , but I doubt it will be happening until there is a new RFC or it's implementation will be divergent from the spec. Why? Implementing the endpoint itself isn't a lot of work - IIRC a few people have offered patches. As a community member and not speaking on behalf of the LE Staff, which I have no optics into, but having been involved in similar projects before the big issue I foresee would be implementing this endpoint in a performant manner over the massive (and sharded) dataset that LetsEncrypt has. The database queries would need to be made in a manner that is not only somewhat responsive to users accessing this endpoint, but also not bring down the performance of the entire service when in use. LetsEncrypt has at least 3 main datasets by usage: Account Info, Live Data (current certs, auths, challenges), and Archives (expired data). To my knowledge, no public endpoints query the old data yet.

rmbolger · September 27, 2021, 2:48pm

To be fair, no other free ACME CA currently implements it either. There are some who provide a URL in that orders field. But none of them actually return a usable result if you query it.

griffin · September 27, 2021, 3:43pm

The best-laid schemes of mice and men
Go oft awry...

daigu · September 27, 2021, 6:31pm

thanks all for the responses - i had guessed it might be a performance hit consideration. the documents you all have linked are a great help. i am new to acme so i assume i will stumble often and probably bug you all again in the near future

daigu · September 27, 2021, 6:33pm

interesting to know, thanks for that tidbit. i have just started trying to write acme clients so now i will not be as confused when i run into 'divergences' i always assume i am doing something wrong first

rmbolger · September 27, 2021, 6:45pm

Yeah, writing a client against a specification is always full of pitfalls in terms of how various server implementations interpret the spec. You will inevitably run into things like this where you have to decide how strict you want to be versus retaining compatibility with popular implementations.

I should also note that if you do want to test against a server implementation that implements the orders field, Pebble is one such implementation that you can run locally without much effort. Not only does it implement the orders field, you can configure how many orders per page it will return so you can more easily test your clients ability to properly get paged results.

daigu · September 27, 2021, 6:48pm

oh another good to know thanks.