Thanks. Yes, that's basically what I had in mind. Two more nits:

> +	if ((order->certificate = json_getstr(n, "certificate")) != NULL) {
> +		return 0;

Unfortunately, style(9) tells us to remove "unnecessary" braces (by
only permitting them for statements that longer than a single line).

>  	}
> +
>  	return 1;
>  }
>  
> @@ -508,7 +509,6 @@ json_free_order(struct order *order)
>  		free(order->auths[i]);
>  	free(order->auths);
>  
> -	order->finalize = NULL;
>  	order->auths = NULL;
>  	order->authsz = 0;
>  }
> diff --git usr.sbin/acme-client/netproc.c usr.sbin/acme-client/netproc.c
> index 70a069bc095..e200b17196b 100644
> --- usr.sbin/acme-client/netproc.c
> +++ usr.sbin/acme-client/netproc.c
> @@ -412,7 +412,7 @@ donewacc(struct conn *c, const struct capaths *p, const char *contact)
>  {
>  	struct jsmnn	*j = NULL;
>  	int		 rc = 0;
> -	char		*req, *detail, *error = NULL, *accturi = NULL;
> +	char		*req, *detail = NULL, *error = NULL, *accturi = NULL;
>  	long		 lc;
>  
>  	if ((req = json_fmt_newacc(contact)) == NULL)
> @@ -430,6 +430,7 @@ donewacc(struct conn *c, const struct capaths *p, const char *contact)
>  				free(error);
>  			}
>  		}
> +		free(detail);

You moved this free too far down. If you do

			free(detail);
		}

instead you don't need to add the initialization.

>  	} else if (lc != 200 && lc != 201)
>  		warnx("%s: bad HTTP: %ld", p->newaccount, lc);
>  	else if (c->buf.buf == NULL || c->buf.sz == 0)
> 
>