diff --git a/third_party/crypto/acme/acme.go b/third_party/crypto/acme/acme.go
index 86f1009c0..a0adbf2dc 100644
--- a/third_party/crypto/acme/acme.go
+++ b/third_party/crypto/acme/acme.go
@@ -255,7 +255,7 @@ func (c *Client) FinalizeOrder(ctx context.Context, finalizeURL string, csr []by
 // If a caller needs to poll an order until its status is final,
 // see the WaitOrder method.
 func (c *Client) GetOrder(ctx context.Context, url string) (*Order, error) {
-	res, err := c.get(ctx, url)
+	res, err := c.postWithJWSAccount(ctx, url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -373,7 +373,7 @@ func (c *Client) UpdateAccount(ctx context.Context, a *Account) (*Account, error
 // If a caller needs to poll an authorization until its status is final,
 // see the WaitAuthorization method.
 func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) {
-	res, err := c.get(ctx, url)
+	res, err := c.postWithJWSAccount(ctx, url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -419,7 +419,7 @@ func (c *Client) DeactivateAuthorization(ctx context.Context, url string) error
 func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {
 	sleep := sleeper(ctx)
 	for {
-		res, err := c.get(ctx, url)
+		res, err := c.postWithJWSAccount(ctx, url, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -463,7 +463,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat
 //
 // A client typically polls a challenge status using this method.
 func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) {
-	res, err := c.get(ctx, url)
+	res, err := c.postWithJWSAccount(ctx, url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -488,15 +488,7 @@ func (c *Client) AcceptChallenge(ctx context.Context, chal *Challenge) (*Challen
 		return nil, err
 	}
 
-	auth, err := keyAuth(c.Key.Public(), chal.Token)
-	if err != nil {
-		return nil, err
-	}
-
-	req := struct {
-		Auth string `json:"keyAuthorization"`
-	}{auth}
-	res, err := c.postWithJWSAccount(ctx, chal.URL, req)
+	res, err := c.postWithJWSAccount(ctx, chal.URL, json.RawMessage(`{}`))
 	if err != nil {
 		return nil, err
 	}
@@ -819,7 +811,7 @@ func nonceFromHeader(h http.Header) string {
 }
 
 func (c *Client) GetCertificate(ctx context.Context, url string) ([][]byte, error) {
-	res, err := c.get(ctx, url)
+	res, err := c.postWithJWSAccount(ctx, url, nil)
 	if err != nil {
 		return nil, err
 	}
diff --git a/third_party/crypto/acme/jws.go b/third_party/crypto/acme/jws.go
index 8ca8dbc91..1b514cccb 100644
--- a/third_party/crypto/acme/jws.go
+++ b/third_party/crypto/acme/jws.go
@@ -36,11 +36,14 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, accountURL, url, non
 		phead = fmt.Sprintf(`{"alg":%q,"kid":%q,"nonce":%q,"url":%q}`, alg, accountURL, nonce, url)
 	}
 	phead = base64.RawURLEncoding.EncodeToString([]byte(phead))
-	cs, err := json.Marshal(claimset)
-	if err != nil {
-		return nil, err
+	payload := ""
+	if claimset != nil {
+		cs, err := json.Marshal(claimset)
+		if err != nil {
+			return nil, err
+		}
+		payload = base64.RawURLEncoding.EncodeToString(cs)
 	}
-	payload := base64.RawURLEncoding.EncodeToString(cs)
 	hash := sha.New()
 	hash.Write([]byte(phead + "." + payload))
 	sig, err := jwsSign(key, sha, hash.Sum(nil))