I attempted to fetch a certificate and had forgotten to update CAA to include permission for buypass. Obviously this failed, but after fixing this any further attempts with the same fqdn are rejected. The order object lists the existing (status: invalid) authorization and does not give the client any other auth to complete. Reading the RFC I see this:

   authorizations (required, array of string):  For pending orders, the
      authorizations that the client needs to complete before the
      requested certificate can be issued (see Section 7.5), including
      unexpired authorizations that the client has completed in the past
      for identifiers specified in the order.

I was wondering if it might be a client bug, but I don't see that it can do anything else. I thought maybe it could try deactivating the status:invalid auth, but the RFC only talks about a client deactivating a *valid* auth, so that's probably not possible. It seems like this is maybe a CA bug and it should be asking for a new auth?

The auth in question is https://api.buypass.com/acme-v02/authz/CbTBvDEi2Qwtk67RWtWQiAUivIa0BhVkEd3b30lq32U - this was a test certificate anyway so not hugely important to get it fixed, but it seems like the behaviour isn't correct.