Open xiaohuilam opened 3 years ago
Conclusion: acme.sh must remove(rm command) old ca folder key, before re-register new eab
Yes, it was by design.
acme.sh remembers all the configs/parameters in its config dir, and reuse it when renewal, so that the renewal can be fully automtically.
Ty you for clarifying.
But as my understanding rookie, we can consider user wanna so you calling renew
as the totally new initial orders.
And i looked up the RFC 8555 page #51 standard it encouraged so:
If the client wishes to obtain a renewed certificate, the client
initiates a new order process to request one.
Maybe the only difference is the CA possibly provide FQDN challenge "cache", likely let'sencrypt 90days.
But we still can renew a cert in a new account by challenge again. Based on this I suggest to abandon old CA account credentials when acme.sh --register-account
for the same CA.
I think it will be risky-free, because the challenge 90 or 398 days TTL, There will be not a little impact because the FQDN challenges (NS credential, or file generation permission) won't change. and even the DNS credential/file challenge method possible fails if new order instead so called renew
, it will still exposed after 90 days.
Steps to reproduce
a. try to register w/o removal old
zerossl
orssl.com
b. try to register w/ removal old
zerossl
orssl.com
rm -rf ~/.acme.sh/ca/acme.ssl.com
or locatezerossl
's and removeConclusion: acme.sh must remove(rm command) old ca folder key, before re-register new eab