5597a77ba2
While we intended to allow legacy ACME v1 accounts created through the WFE to work with the ACME v2 implementation and the WFE2 we neglected to consider that a legacy account would have a Key ID URL that doesn't match the expected for a V2 account. This caused `wfe2/verify.go`'s `lookupJWK` to reject all POST requests authenticated by a legacy account unless the ACME client took the extra manual step of "fixing" the URL. This PR adds a configuration parameter to the WFE2 for an allowed legacy key ID prefix. The WFE2 verification logic is updated to allow both the expected key ID prefix and the configured legacy key ID prefix. This will allow us to specify the correct legacy URL in configuration for both staging/prod to allow unmodified V1 ACME accounts to be used with ACME v2. Resolves https://github.com/letsencrypt/boulder/issues/3674 |
||
|---|---|---|
| .. | ||
| test | ||
| README.md | ||
| stats.go | ||
| verify.go | ||
| verify_test.go | ||
| wfe.go | ||
| wfe_test.go | ||
README.md
WFE v2
The wfe2 package is copied from the wfe package in order to implement the
"ACME v2" API. This design choice
was made to facilitate a clean separation between v1 and v2 code and to support
running a separate API process on a different port alongside the v1 API process.