Options were not alphabetically sorted, which made it hard for someone
to find what he is looking for.
Also, the TOML specification link has been updated.
Being able to define root certificates in the command line is not enough
for two reasons:
1. It is always global, you cannot define a root certificate for a
specific endpoint.
2. Daemon scripts and unit files are not meant to be changed every time
you need to add a root certificate.
For those reasons, it is now to possible to define root certificates in
the configuration. Those defined in the `global` section will be used on
every endpoint, just like those added via the command line. Those
defined in an endpoint will be used in this endpoint only.
The part of code that are specific to OpenSSL are now included only if
the openssl feature is activated. The generic parts of code included in
OpenSSL specific files has been moved out.
RFC 8555 states that:
- when an account is successfully created, the server "returns this
account object" (section 7.3);
- the `orders` field in account objects is mandatory (section 7.1.2).
Despite that, Boulder does not returns the `orders` field when an
account is created. This non-standard behavior prevented ACMEd from
creating account and testing them for existence.
In order to allow ACMEd to retrieve certificates from CAs using Boulder,
the `orders` field is no longer mandatory and the account existence is
tested when the order is requested.
https://github.com/letsencrypt/boulder/issues/3335
The key hash is responsible for the initiation of a key rollover on
endpoints. Therefore, it should differ only when such an action is
required, which is only if the key pair has changed. For this, hashing
the public key is sufficient. Adding the signature algorithm will
generate unnecessary key rollovers.