RFC Errata
Found 13 records.
Status: Verified (11)
RFC 8555, "Automatic Certificate Management Environment (ACME)", March 2019
Source of RFC: acme (sec)
Errata ID: 5729
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-05-22
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 7.5.1 says:
The client indicates to the server that it is ready for the challenge
validation by sending an empty JSON body ("{}") carried in a POST
request to the challenge URL (not the authorization URL).
It should say:
The client indicates to the server that it is ready for the challenge
validation by sending a POST request to the challenge URL (not the
authorization URL), where the body of the POST request is a JWS object
whose JSON payload is a response object (see Section 8). For all
challenge types defined in this document, the response object is the
empty JSON object ("{}").
Notes:
It's clear from other text in section 7.5.1 that the "empty JSON body" is interpreted by the ACME server as a "response object". (The first function of this erratum is to clarify this point).
Section 8 says that "The definition of a challenge type includes...Contents of response objects", and section 7.5.1 notes that "the challenges in this document do not define any response fields, but future specifications might define them". (The second function of this erratum is to permit clients to send response objects that contain response fields).
Errata ID: 5732
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-05-23
Verifier Name: Paul Wouters
Date Verified: 2024-02-22
Section 8 says:
A challenge object with an error MUST have status equal to "invalid".
It should say:
A challenge object with an error MUST have status equal to "processing" or "invalid".
Notes:
Section 8.2 says that 'The server MUST add an entry to the "error" field in the challenge after each failed validation query'. However, if the challenge must then become "invalid", it is never possible to retry any validation query (because "invalid" is a final state for a challenge object).
This erratum is necessary to permit validation query retries to ever happen.
Errata ID: 5983
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Jason Baker
Date Reported: 2020-02-14
Verifier Name: Benjamin Kaduk
Date Verified: 2020-02-29
Section 9.1 says:
A file of this type contains one or more certificates encoded with the PEM textual encoding, according to [RFC7468]. The textual encoding of certificates in this file MUST use the strict encoding and MUST NOT include explanatory text. The ABNF for this format is as follows, where "stricttextualmsg" and "eol" are as defined in Section 3 of RFC 7468: certchain = stricttextualmsg *(eol stricttextualmsg)
It should say:
A file of this type contains one or more certificates encoded with the PEM textual encoding, according to [RFC7468]. The textual encoding of certificates in this file MUST use the strict encoding and MUST NOT include explanatory text. The ABNF for this format is as follows, where "stricttextualmsg" is as defined in Section 3 of RFC 7468: certchain = stricttextualmsg *(stricttextualmsg)
Notes:
Examples within RFC 8555 indicate that only one EOL should be present between entries in the PEM chain.
RFC 7468 already defines a stricttextualmsg as ending with EOL
stricttextualmsg = preeb eol
strictbase64text
posteb eol
If a second EOL is to be added before each strict textual message this would result in a blank line between entries. The prior example in https://tools.ietf.org/html/rfc8555#section-7.4.2 indicates an intention for only one EOL marker to be used:
-----BEGIN CERTIFICATE-----
[End-entity certificate contents]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Issuer certificate contents]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Other certificate contents]
-----END CERTIFICATE-----
Errata ID: 6364
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Evangelos Karatsiolis
Date Reported: 2020-12-23
Verifier Name: Deb Cooley
Date Verified: 2024-03-22
Section 7.1.4 says:
wildcard (optional, boolean): This field MUST be present and true
for authorizations created as a result of a newOrder request
containing a DNS identifier with a value that was a wildcard
domain name. For other authorizations, it MUST be absent.
Wildcard domain names are described in Section 7.1.3.
It should say:
wildcard (optional, boolean): This field MUST be present and true
for authorizations created as a result of a newOrder request
containing a DNS identifier with a value that was a wildcard
domain name. For other authorizations, it MUST be absent or
false. For pre-authorizations, it MUST be absent or false.
Wildcard domain names are described in Section 7.1.3.
Notes:
This section states that the wildcard field must be absent for other authorizations, but the example in this section has an explicitly set wildcard field with value false. The proposed change allows both options, either omitting it or explicitly setting it to false. Also a sentence has been added to explicitly describe the behavior for pre-authorizations.
Errata ID: 7565
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Paul Breed
Date Reported: 2023-07-13
Verifier Name: Roman Danyliw
Date Verified: 2024-01-11
Section 8.1 says:
The "Thumbprint" step indicates the computation specified in [RFC7638], using the SHA-256 digest [FIPS180-4]. As noted in [RFC7518] any prepended zero octets in the fields of a JWK object MUST be stripped before doing the computation.
It should say:
The "Thumbprint" step indicates the computation specified in [RFC7638], using the SHA-256 digest [FIPS180-4]. As noted in [RFC7518] any additional prepended zero octets in the fields of a JWK object MUST be stripped before doing the computation. Fixed length fields such as found in ECDSA keys should be their natural length and leading zero octets should not be stripped.
Notes:
This comment was really aimed at the leading 0 octet sometimes used with RSA, but the comment is not RSA specific. ECDSA keys can have fixed length fields (X,Y) where there can be leading zeros. This led me astray in implementing an ECDSA thumbprint routine for ACME. The result was that 1/128 ECDSA keys failed to generate t humbp[rint as leading zeros were removed.
Errata ID: 5733
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-05-23
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 8.3 says:
POST /acme/chall/prV_B7yEyA4
It should say:
POST /acme/chall/prV_B7yEyA4 HTTP/1.1
Errata ID: 5734
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-05-23
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 8.4 says:
POST /acme/chall/Rg5dV14Gh1Q
It should say:
POST /acme/chall/Rg5dV14Gh1Q HTTP/1.1
Errata ID: 5735
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-05-23
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 8.3 says:
GET /.well-known/acme-challenge/LoqXcYV8...jxAjEuX0
It should say:
GET /.well-known/acme-challenge/LoqXcYV8...jxAjEuX0 HTTP/1.1
Errata ID: 6016
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Benjamin Wilson
Date Reported: 2020-03-13
Verifier Name: Benjamin Kaduk
Date Verified: 2020-03-13
Section 7.3.5 says:
holder of the new key to take over the account form the holder of the
It should say:
holder of the new key to take over the account from the holder of the
Notes:
Should be "from" instead of "form"
Errata ID: 6103
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Theodor Nolte
Date Reported: 2020-04-14
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 7.1. says:
o A "newAccount" resource (Section 7.3) o A "newOrder" resource (Section 7.4)
It should say:
o A "newAccount" resource (Section 7.3) o A "newAuthz" resource (Section 7.4) o A "newOrder" resource (Section 7.4)
Notes:
The item for the "newAuthz" resource is missing in the list of resources.
Errata ID: 6104
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Theodor Nolte
Date Reported: 2020-04-14
Verifier Name: Roman Danyliw.com
Date Verified: 2024-01-11
Section 6.7.1 says:
in the problem document.
HTTP/1.1 403 Forbidden
Content-Type: application/problem+json
Link: <https://example.com/acme/directory>;rel="index"
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Some of the identifiers requested were rejected",
"subproblems": [
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Invalid underscore in DNS name \"_example.org\"",
"identifier": {
"type": "dns",
"value": "_example.org"
}
},
{
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "This CA will not issue for \"example.net\"",
"identifier": {
"type": "dns",
"value": "example.net"
}
}
]
}
It should say:
in the problem document.
HTTP/1.1 403 Forbidden
Content-Type: application/problem+json
Link: <https://example.com/acme/directory>;rel="index"
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Some of the identifiers requested were rejected",
"subproblems": [
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Invalid underscore in DNS name \"_example.org\"",
"identifier": {
"type": "dns",
"value": "_example.org"
}
},
{
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "This CA will not issue for \"example.net\"",
"identifier": {
"type": "dns",
"value": "example.net"
}
}
]
}
Notes:
The indenting of the code block of the HTTP reply is not aligned.
Status: Reported (2)
RFC 8555, "Automatic Certificate Management Environment (ACME)", March 2019
Source of RFC: acme (sec)
Errata ID: 5861
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: owen friel
Date Reported: 2019-09-23
Section 7.4.1 says:
It should say:
If a server receives a newAuthz request for an identifier where the authorization object already exists, whether created by CA provisioning on the ACME server or by the ACME server handling a previous newAuthz request from a client, the server returns a 200 (OK) response with the existing authorization URL in the Location header field and the existing JSON authorization object in the body.
Notes:
The above text (or similar) should be appended to the end of section 7.4.1
Errata ID: 7826
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2024-02-28
Section 8.2 says:
The server MUST provide information about its retry state to the client via the "error" field in the challenge and the Retry-After HTTP header field in response to requests to the challenge resource.
It should say:
In responding to requests to the challenge resource while the status of the challenge remains "processing", the server MUST provide information about its retry state to the client via the "error" field in the challenge and the Retry-After HTTP header field.
Notes:
The current text seems to require the server to include the "error" field and Retry-After HTTP header in all responses to requests for a challenge resource, even before that challenge has moved from "pending" to "processing", and even after that challenge has moved from "processing" to "valid" or "invalid". However, the "State Transitions for Challenge Objects" diagram in Section 7.1.6 shows that it only makes sense for the server to communicate "its retry state" to the client when the challenge is "processing".
I've modelled the structure of my suggested Corrected Text on similar language in Section 7.5.1: "In responding to poll requests while the validation is still in progress, the server MUST...".