Feature Request - Function `Test-PAAccount` about posh-acme HOT 4 CLOSED

No worries. The Get-PAAccount -Refresh actually used to happen more frequently under the hood as a way to more gracefully prevent errors that would come up if an account had been deactivated elsewhere. But I took most of them out a while back to make things more efficient and because an annoying number of commercial CAs didn't actually support POST-as-GET requests on the account object for some dumb reason. There's actually a switch Set-PAServer -UseAltAccountRefresh switch to change how the module does account refreshes to use the newAcct endpoint with onlyReturnExisting as a workaround for those broken CAs.

In any case, yeah. We can close this I think.

from posh-acme.

Hah! I didn't notice the author at first when originally reviewing this thread, I'll just drop it without further comment. :)

https://community.letsencrypt.org/t/should-clients-expect-acme-server-may-drop-accounts/193503/4

from posh-acme.

Hey @jamesaepp, thanks for reaching out. As far as I can tell, there's no way to query the current value of termsOfServiceAgreed on an account. Both a standard POST-as-GET request on the account and a new account request with the onlyReturnExisting flag only return the status, public key info, contact, and some other metadata. The RFC basically says it's a write-only property on the account that is accepted during account creation. It's also explicitly ignored in an account update request.

Section 7.3.3 talks about what happens if a CA needs to change their ToS and require users to accept those changes. It basically involves the CA throwing an ACME error on subsequent requests with a URL link intended for a human to use to re-accept the ToS for that account.

From the perspective of "Is this account still sane?", I think the status field on the account should be sufficient for that purpose at least as far as the ACME protocol is concerned. You can get the current status value with Get-PAAccount -Refresh which explicitly does a POST-as-GET on the account object to check for updates (such as an account being deactivated elsewhere).

from posh-acme.

@rmbolger I totally missed the -Refresh parameter, thank you! With that parameter, I think that solves the goal I mentioned and you referenced in your last paragraph.

Not sure if we want to keep this feature request or not given your other research into the ToS and (seemingly) lack of utility with the onlyReturnExisting bool.

from posh-acme.