While Boulder attempts to implement the ACME specification (RFC 8555) as strictly as possible there are places at which we will diverge from the letter of the specification for various reasons. This document describes the difference between RFC 8555 and Boulder's implementation of ACME, informally called ACMEv2 and available at https://acme-v02.api.letsencrypt.org/directory. A listing of RFC conformant design decisions that may differ from other ACME servers is listed in implementation_details.
Presently, Boulder diverges from the RFC 8555 ACME spec in the following ways:
Boulder supports POST-as-GET but does not mandate it for requests that simply fetch a resource (certificate, order, authorization, or challenge).
For all rate-limits, Boulder includes a Link
header to additional documentation on rate-limiting. Only rate-limits on duplicate certificates
and certificates per registered domain
are accompanied by a Retry-After
header.
Boulder does not supply the orders
field on account objects. We intend to
support this non-essential feature in the future. Please follow Boulder Issue
#3335.
Boulder does not accept the optional notBefore
and notAfter
fields of a
newOrder
request paylod.
Pre-authorization is an optional feature and we have no plans to implement it. V2 clients should use order based issuance without pre-authorization.
Boulder does not process Accept
headers for Content-Type
negotiation when retrieving certificates.
Boulder does not implement the ability to retry challenges or the Retry-After
header.