Support to get current account orders

[akalcik]

There is an issue with the current ACME v2 when orders list is an empty field in the account info. To be able to restore an account with the actual orders one can call ACME Rest API and downloaded actual orders see. It could be helpful to have this functionality.

[rmbolger]

Hi @akalcik, the issue you linked to in Boulder hasn't actually been fixed by the Let's Encrypt team yet. Posh-ACME does currently try to add the orders field to an account object if it's returned by the ACME server. But no real ACME CA I know of actually uses it yet. Do you know of one?

The Pebble testing server does implement the feature. But until there's a real CA to test against, this is a bit lower priority for me. I'm happy to leave the issue open as a reminder though.

[akalcik]

Hi, @rmbolger I thought it can be implemented to call API directly until it is fixed by the Let's Encrypt team. Fine for me to keep it open as a reminder.

[rmbolger]

I think you might be confusing the ACME protocol specification with the actual ACME implementation of the protocol by the Let's Encrypt team in their Boulder ACME server software. Posh-ACME already talks to Boulder directly. But Boulder does not currently know how to return the orders field on account objects. So until Boulder is fixed to support returning that field, Posh-ACME has no way to get a list of orders associated with an account from Let's Encrypt.

I double checked the other free ACME CAs I know of (BuyPass and ZeroSSL) and they both appear to at least be returning the URL for the orders field. So I may be able to implement this functionality against them. But it won't fix Let's Encrypt until Let's Encrypt fixes Boulder.

[akalcik]

Thx for the amazing explanation! Fine for me to wait for a fix.

[rmbolger]

I did a little more digging with BuyPass and ZeroSSL. It looks like that while both currently present the orders field on an account, neither one actually has a working implementation yet. When you query the URL on BuyPass, you always get an empty result even if you just created a fresh order on the account. When you query it on ZeroSSL, you get an explicit ACME error with the message, "Not yet implemented."

So it looks like it still might be a while until this is possible on any of the free ACME CAs.

Out of curiosity, how do you see this feature working within Posh-ACME? My first idea was to make it an additional parameter set within the Get-PAOrder function. It would either take an explicit -OrdersUri parameter or you could just pipe an account object to it like this:

Get-PAAccount | Get-PAOrder

But since this is only going to return the order data stored on the ACME server, the output will look pretty empty compared to the normal Get-PAOrder output with the additional metadata added by the module when you create an order from scratch.

I guess a better question might be, what's the use-case for the data once you can get it?