2019-01-02 2025-11-25 Specification Required Richard Barnes, Aaron Gable status string new, account contact array of string new, account externalAccountBinding object new termsOfServiceAgreed boolean new onlyReturnExisting boolean new orders string none delegations string none Specification Required Richard Barnes, Aaron Gable status string false expires string false identifiers array of object true notBefore string true notAfter string true error string false authorizations array of string false finalize string false certificate string false auto-renewal object true star-certificate string false allow-certificate-get boolean true delegation string true replaces string true Specification Required Richard Barnes, Aaron Gable identifier object true status string false expires string false challenges array of object false wildcard boolean false subdomainAuthAllowed boolean false Specification Required Richard Barnes, Aaron Gable accountDoesNotExist The request specified an account that does not exist alreadyRevoked The request specified a certificate to be revoked that has already been revoked badCSR The CSR is unacceptable (e.g., due to a short key) badNonce The client sent an unacceptable anti-replay nonce badPublicKey The JWS was signed by a public key the server does not support badRevocationReason The revocation reason provided is not allowed by the server badSignatureAlgorithm The JWS was signed with an algorithm the server does not support caa Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate compound Specific error conditions are indicated in the "subproblems" array connection The server could not connect to validation target dns There was a problem with a DNS query during identifier validation externalAccountRequired The request must include a value for the "externalAccountBinding" field incorrectResponse Response received didn't match the challenge's requirements invalidContact A contact URL for an account was invalid malformed The request message was malformed orderNotReady The request attempted to finalize an order that is not ready to be finalized rateLimited The request exceeds a rate limit rejectedIdentifier The server will not issue certificates for the identifier serverInternal The server experienced an internal error tls The server received a TLS error during validation unauthorized The client lacks sufficient authorization unsupportedContact A contact URL for an account used an unsupported protocol scheme unsupportedIdentifier An identifier is of an unsupported type userActionRequired Visit the "instance" URL and take actions specified there autoRenewalCanceled The short-term certificate is no longer available because the auto-renewal Order has been explicitly canceled by the IdO autoRenewalExpired The short-term certificate is no longer available because the auto-renewal Order has expired autoRenewalCancellationInvalid A request to cancel an auto-renewal Order that is not in state "valid" has been received autoRenewalRevocationNotSupported A request to revoke an auto-renewal Order has been received unknownDelegation An unknown configuration is listed in the delegation attribute of the order request onionCAARequired The CA only supports checking the CAA for Hidden Services in-band, but the client has not provided an in-band CAA alreadyReplaced The request specified a predecessor certificate that has already been marked as replaced Specification Required Richard Barnes, Aaron Gable newNonce New nonce newAccount New account newOrder New order newAuthz New authorization revokeCert Revoke certificate keyChange Key change meta Metadata object renewalInfo RenewalInfo object Specification Required Richard Barnes, Aaron Gable termsOfService string website string caaIdentities array of string externalAccountRequired boolean auto-renewal object delegation-enabled boolean allow-certificate-get boolean subdomainAuthAllowed boolean onionCAARequired boolean Specification Required Richard Barnes, Aaron Gable dns ip email TNAuthList bundleEID NfInstanceId 3GPP TS 33.310 Specification Required Richard Barnes, Aaron Gable http-01 dns Y dns-01 dns Y tls-sni-01 RESERVED N tls-sni-02 RESERVED N http-01 ip Y tls-alpn-01 ip Y tls-alpn-01 dns Y email-reply-00 email Y tkauth-01 TNAuthList Y onion-csr-01 dns Y bp-nodeid-00 bundleEID Y tkauth-01 NfInstanceId Y 3GPP TS 33.310 Specification Required Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable start-date string true end-date string true lifetime integer true lifetime-adjust integer true allow-certificate-get boolean true Specification Required Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable min-lifetime integer max-duration integer allow-certificate-get boolean Specification Required Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable keyUsage RFC9115, Appendix A RFC5280, Section 4.2.1.3 extendedKeyUsage RFC9115, Appendix A RFC5280, Section 4.2.1.12 subjectAltName RFC9115, Appendix A RFC5280, Section 4.2.1.6 (note that only specific name formats are allowed: URI, DNS name, email address) Specification Required Mary Barnes, Aaron Gable atc JSON Web Token (JWT) challenge type Specification Required Richard Barnes, Aaron Gable suggestedWindow object explanationURL string