Authentication after updating CAA
I attempted to fetch a certificate and had forgotten to update CAA to include permission for buypass. Obviously this failed, but after fixing this any further attempts with the same fqdn are rejected. The order object lists the existing (status: invalid) authorization and does not give the client any other auth to complete. Reading the RFC I see this:
authorizations (required, array of string): For pending orders, the authorizations that the client needs to complete before the requested certificate can be issued (see Section 7.5), including unexpired authorizations that the client has completed in the past for identifiers specified in the order.
I was wondering if it might be a client bug, but I don't see that it can do anything else. I thought maybe it could try deactivating the status:invalid auth, but the RFC only talks about a client deactivating a *valid* auth, so that's probably not possible. It seems like this is maybe a CA bug and it should be asking for a new auth?
The auth in question is https://api.buypass.com/acme-v02/authz/CbTBvDEi2Qwtk67RWtWQiAUivIa0BhVkEd3b30lq32U - this was a test certificate anyway so not hugely important to get it fixed, but it seems like the behaviour isn't correct.