Authentication after updating CAA

I attempted to fetch a certificate and had forgotten to update CAA to include permission for buypass. Obviously this failed, but after fixing this any further attempts with the same fqdn are rejected. The order object lists the existing (status: invalid) authorization and does not give the client any other auth to complete. Reading the RFC I see this:

   authorizations (required, array of string):  For pending orders, the
      authorizations that the client needs to complete before the
      requested certificate can be issued (see Section 7.5), including
      unexpired authorizations that the client has completed in the past
      for identifiers specified in the order.

I was wondering if it might be a client bug, but I don't see that it can do anything else. I thought maybe it could try deactivating the status:invalid auth, but the RFC only talks about a client deactivating a *valid* auth, so that's probably not possible. It seems like this is maybe a CA bug and it should be asking for a new auth?

The auth in question is https://api.buypass.com/acme-v02/authz/CbTBvDEi2Qwtk67RWtWQiAUivIa0BhVkEd3b30lq32U - this was a test certificate anyway so not hugely important to get it fixed, but it seems like the behaviour isn't correct.

1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Stuart Henderson


    We have identified a bug and deployed a fix yesterday.

    Please let us know in case you still experience issues getting certificate.




    Like 1
  • Status Answered
  • 3 yrs agoLast active
  • 1Replies closed
  • 133Views
  • 2 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains