acme v2 - scheduled deprecation of unauthenticated GETs
pallavkothari opened this issue · comments
Hi there 👋
First, thank you for maintaining this library! I've been using it with great success until this last week, when cert renewals broke against the staging endpoints. I tried the latest version of acme4j (2.8) available in maven central and hit this error:
[main] DEBUG o.shredzone.acme4j.AcmeJsonResource - update Authorization
[main] DEBUG o.s.a.connector.DefaultConnection - GET https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22511111
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER null: HTTP/1.1 405 Method Not Allowed
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Cache-Control: public, max-age=0, no-cache
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Server: nginx
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Connection: keep-alive
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Content-Length: 103
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Date: Fri, 13 Dec 2019 19:30:22 GMT
[main] DEBUG o.s.a.connector.DefaultConnection - HEADER Content-Type: application/problem+json
[main] DEBUG o.s.a.connector.DefaultConnection - Result JSON: {"type":"urn:ietf:params:acme:error:malformed","detail":"Method not allowed","status":405}
[main] ERROR c.s.z.dns.LetsEncryptClient - Failed to get a certificate for domains [foo.example.com]
org.shredzone.acme4j.exception.AcmeLazyLoadingException: Authorization https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22511111
at org.shredzone.acme4j.AcmeJsonResource.getJSON(AcmeJsonResource.java:68)
at org.shredzone.acme4j.Authorization.getDomain(Authorization.java:57)
...
The root cause is that unsigned GET requests are no longer supported in staging (and will be removed in production around Nov, 2020: https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
LetsEncrypt has elected to make the breaking change in v2, instead of rolling out a v3 endpoint: https://community.letsencrypt.org/t/acme-breaking-change-most-gets-become-posts/71025
Wasn't sure if this was already on your radar - for now I can work around this by skipping the staging endpoint, but it would be nice to get this patched. Thoughts?
Thanks!
Hmm sorry, I think maven is playing tricks with me -- going to try again. Seems getDomain() is no longer valid in 2.8..
GET requests have been removed since v2.5. The only exception is a GET request to fetch the directory, which is acceptable according to the RFC.
I ran my test suite to check it. Authorizations are updated via POST-as-GET request:
[main] DEBUG org.shredzone.acme4j.AcmeJsonResource - update Authorization
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - POST-as-GET https://localhost:14000/authZ/mLsucxCBfbIR-OCdbfFb8DdeUflSTlamj7FdeBL0H_g
So yes, it seems that your maven is keeping a pre v2.5 version of acme4j somewhere. 😄