ACME: allow specifying preferred or required profile.

[bavshin-f5]

Taking suggestions for directive syntax or documentation. I want to keep the --preferred-profile/--required-profile distinction, but maybe that's not the best way.

Verified working with:

• pebble
• Let's Encrypt staging with shortlived and IP identifiers

---

Curious testing artifact:

[warn] 1#1: urn:ietf:params:acme:error:unauthorized: Error creating new order :: account ID 1234567890 is not permitted to use certificate profile "shortlived" while updating certificate "letsencrypt/example.com"

Which doesn't quite look like urn:ietf:params:acme:error:invalidProfile. Neither is malformed from Pebble.

[Copilot]

Pull Request Overview

This PR adds support for the ACME Profiles Extension (draft-ietf-acme-profiles-00), allowing users to request specific certificate profiles from ACME servers. The implementation provides two modes: preferred profiles (gracefully degrade if unsupported) and required profiles (fail if unsupported).

Key changes:

• Added profile directive to acme_issuer configuration with optional require parameter
• Implemented profile validation during account registration and certificate ordering
• Added comprehensive test coverage for both default and short-lived certificate profiles

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
t/acme_profiles.t	Adds test suite verifying profile functionality with default and short-lived certificates
src/conf/issuer.rs	Defines Profile enum and adds profile field to Issuer struct
src/conf.rs	Implements profile directive configuration parser supporting 1-2 arguments
src/acme/types.rs	Extends ACME types to include profiles in directory metadata, order requests, and error handling
src/acme/error.rs	Adds profile-related error variant to NewAccountError
src/acme.rs	Implements profile validation logic and includes profile in order requests
README.md	Documents the new profile directive and references the ACME Profiles Extension specification

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[ensh63]

BTreeMap looks slightly overwhelmed solution for such a small collection as profile list, but it has predefined de-serialization support. So, this is a reasonable choice.
Looks good overall.

[bavshin-f5]

The latest fixup updates handling of required profiles and invalidProfile errors:

• urn:ietf:params:acme:invalidProfile can be returned if the order configuration is not compatible with the requested profile (e.g. unsupported identifier types). Reduced scope of the error to the current order.
• Certbot sends --required-profile to the ACME server instead of validating locally against the advertised profile list. The mailing list discussions suggest that it is acceptable to have profiles that are not publicly advertised through the directory metadata.

[Copilot]

Pull Request Overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[xeioex]

LGTM.

Merging all 3 patches into 1 seems more natural to me, but YMMV.