From: Florian Obser <florian@openbsd.org>
Subject: Re: acme-client(1): insecure API urls
To: tech@openbsd.org
Date: Mon, 09 Jun 2025 01:57:29 +0200

On 2025-06-08 12:37 -06, Zack Newman <zack@philomathiclife.com> wrote:
>> any idea why?
>
> To "force" clients to behave properly
> (https://github.com/letsencrypt/pebble?tab=readme-ov-file#invalid-anti-replay-nonce-errors).
>

Indeed, sorry, I forgot to mention this publicly. The idea is to use
pebble for regress/usr.sbin/acme-client.

1) We can run the regress test completely locally without needing httpd
exposed to the internet on the regress machine
2) pebble prods and pokes RFC corner cases and common mistakes in acme
clients, so not handling nonce errors is a bug in acme-client(1) I have
to fix.

-- 
In my defence, I have been left unsupervised.