Add note about required headers

The required header `Cache-Control: no-store` is automatically set by Vault in wrapGenericHandler(...). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · May 24, 2023 · 21b14de · 21b14de
1 parent 1ebfb60
commit 21b14de
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx
@@ -120,7 +120,9 @@ manage protocol](https://datatracker.ietf.org/doc/html/rfc8555) for issuing
 and renewing leaf server certificates.
 
 In order to use ACME, a [cluster path](#set-cluster-configuration) must be
-set and ACME must be [enabled in its configuration](#set-acme-configuration).
+set and ACME must be [enabled in its configuration](#set-acme-configuration)
+with the [required headers](#acme-required-headers) enabled on the mount
+tuning.
 
 Using ACME with a role require `no_store=false` to be set on the role; this
 allows the certificate to be stored and later fetched through the ACME
@@ -192,6 +194,23 @@ Vault endpoint, but not further to the client's entity or other information.
 ACME Accounts are created specific to a particular directory and are not
 portable across Performance Secondary clusters.
 
+#### ACME Required Headers
+
+ACME requires the following response headers (`allowed_response_headers`)
+to be specified by [mount tuning](/vault/api-docs/system/mounts#tune-mount-configuration):
+
+ - `Replay-Nonce`
+ - `Link`
+ - `Location`
+
+On an existing mount, these can be specified by running the following command:
+
+```
+$ vault secrets tune -allowed-response-headers=Location -allowed-response-headers=Replay-Nonce \
+                     -allowed-response-headers=Link \
+                     pki/
+```
+
 ### Get ACME EAB Binding Token
 
 This endpoint returns a new ACME binding token. The `id` response field can