From 78a54ac1804bb3e74dae5ce4ffbda009229776a6 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Wed, 1 Apr 2026 19:35:05 +0200
Subject: [PATCH 1/2] Add accounturi to dns-persist-01 challenges

This has been added to draft 01:
https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html#section-3.1
---
 acme/common.go | 1 +
 wfe/wfe.go     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/acme/common.go b/acme/common.go
index 64aa9814..a0bc5d27 100644
--- a/acme/common.go
+++ b/acme/common.go
@@ -86,6 +86,7 @@ type Challenge struct {
 	URL               string          `json:"url"`
 	Token             string          `json:"token,omitempty"`
 	Status            string          `json:"status"`
+	AccountURI        string          `json:"accounturi,omitempty"`
 	IssuerDomainNames []string        `json:"issuer-domain-names,omitempty"`
 	Validated         string          `json:"validated,omitempty"`
 	Error             *ProblemDetails `json:"error,omitempty"`
diff --git a/wfe/wfe.go b/wfe/wfe.go
index 54f65e19..1886af84 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -1625,6 +1625,7 @@ func (wfe *WebFrontEndImpl) makeChallenge(
 	}
 	if chalType == acme.ChallengeDNSPersist01 {
 		chal.IssuerDomainNames = append([]string(nil), wfe.caaIdentities...)
+		chal.AccountURI = wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, authz.Order.AccountID))
 	}
 
 	// Add it to the in-memory database

From 7a35adb513791d6668c98856ebd134df208dee16 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Mon, 20 Apr 2026 19:57:12 +0200
Subject: [PATCH 2/2] Add comment that reusing the Host header in the account
 URI is OK for Pebble, but not in general.

Co-authored-by: Aaron Gable <aaron@aarongable.com>
---
 wfe/wfe.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wfe/wfe.go b/wfe/wfe.go
index 1886af84..3e4973fb 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -1625,6 +1625,9 @@ func (wfe *WebFrontEndImpl) makeChallenge(
 	}
 	if chalType == acme.ChallengeDNSPersist01 {
 		chal.IssuerDomainNames = append([]string(nil), wfe.caaIdentities...)
+		// Note: By using web.relativeEndpoint here, Pebble will reflect the Host header
+		// into the accountURI here. This would not be acceptable in a security-conscious
+		// context, but is okay for Pebble.
 		chal.AccountURI = wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, authz.Order.AccountID))
 	}