Pebble v2.3.0 Features: * Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1. * Updated pebble-challtestsrv with an API for mocking DNS `SERVFAIL` responses for a hostname. * Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4. Bug-fixes: * The `pebble-challtestsrv`'s mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname. * Changed `PEBBLE_ALTERNATE_ROOTS` intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's. * Fixed key rollover request handling for requests that fail inner JWS verification. * Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a `badCSR` type problem. See RFC 8555 §11.1. * Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7. * Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3 * Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. `443`). Misc: * A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2. * The Pebble ACME API and management API ports (`14000` and `15000`) are now marked exposed in Dockerfile metadata. * TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment. * The project and CI now use Go 1.13 and `golangci-lint` v1.21.0 New configuration options: * The `PEBBLE_WFE_ORDERS_PER_PAGE` env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response. * The `"externalAccountBindingRequired"` config file boolean field can be used to control whether all `newAccount` requests must use external account binding. * The `"externalAccountMACKeys"` config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See `test/config/pebble-config-external-account-binding.json` for an example. Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.