Skip to content

Comments

v0.8.5: Pebble v2.10.0 support, dns-persist-01 challenge deser fix#264

Open
cpu wants to merge 3 commits intodjc:mainfrom
cpu:ci/cpu-dns-persist-01-bugfix
Open

v0.8.5: Pebble v2.10.0 support, dns-persist-01 challenge deser fix#264
cpu wants to merge 3 commits intodjc:mainfrom
cpu:ci/cpu-dns-persist-01-bugfix

Conversation

@cpu
Copy link
Collaborator

@cpu cpu commented Feb 23, 2026
edited
Loading

Resolves #258

As a follow up we should consider changing how challenges are represented to avoid the impression that token is always present regardless of the ChallengeType, but in the meantime this semver compatible fix will prevent errors talking to CAs that are offering standard-compliant, but unsupported challenge types like dns-persist-01. See this CI failure on main for example.

Note of course that this branch fixes using instant-acme with a CA that offers dns-persist-01 (like Pebble v2.10.0+) but it does not allow you to complete dns-persist-01 challenges. Support for this new challenge type is not yet implemented (see #263).

Proposed release notes

  • Fixes Challenge deserialization errors of the form "missing field token" when using instant-acme with CAs offering challenge types that don't present a token (e.g. dns-persist-01 with Pebble v2.10.0+)

@cpu cpu self-assigned this Feb 23, 2026
cpu added 3 commits February 23, 2026 11:10
@cpu
types: allow Challenge token to be omitted
b4d9b44 
RFC 8555 doesn't specify that this field is always present, it's
a property of the specific challenge type. It happens to be the case
that all of our supported challenge types have always included a token,
but the new dns-persist-01 challenge type does not.

To avoid deser errors from a missing token field for ACME CAs that
include dns-persist-01 challenges (or other, unknown challenge
types), default the field to an empty string when omitted.
@cpu
tests: fix challtestsrv arg for pebble v2.10.0
53fcb0e 
The Pebble v2.10.0 release renamed the pebble-challtestsrv binary's
-dns01 argument to -dnsserver to match pebble's similar flag.
@cpu
Cargo: version 0.8.4 -> 0.8.5
66e6b31
@cpu cpu force-pushed the ci/cpu-dns-persist-01-bugfix branch from f61708f to 66e6b31 Compare February 23, 2026 16:10
@djc
Copy link
Owner

djc commented Feb 23, 2026

I think that this is good to get CI unstuck, but not sure I want to release 0.8.5 with the fake empty token?

@cpu
Copy link
Collaborator Author

cpu commented Feb 23, 2026

not sure I want to release 0.8.5 with the fake empty token?

Presumably Let's Encrypt's staging and production APIs are going to start offering this challenge type at some point. That's going to hard break all of the 0.8.x users in the wild. It seems reasonable to me to release this fix to avoid that while improving the status quo in the follow-up release. Having the field empty for unsupported challenge types isn't ideal, but doesn't seem likely to cause any significant confusion in practice.

@cpu
Copy link
Collaborator Author

cpu commented Feb 23, 2026
edited
Loading

Presumably Let's Encrypt's staging and production APIs are going to start offering this challenge type at some point

The announcement blog post says:

Staging rollout is planned for late Q1 2026, with a production rollout targeted for some time in Q2 2026.

So I think the question is whether we can reasonably expect that all users will be on a 0.9 by late Q1/early Q2. Otherwise issuance/renewals will be broken after that point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cpu cpu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authorization challenges without token (e.g. dns-persist-01) fail deserialization

2 participants

@cpu @djc