Why can not register new eab credential (eab-kid) w/o removal old?

[xiaohuilam]

Steps to reproduce

a. try to register w/o removal old

• register an old eab likely zerossl or ssl.com
• regiter an new eab
• we can see the account key still the old

b. try to register w/ removal old

• register an old eab likely zerossl or ssl.com
• rm -rf ~/.acme.sh/ca/acme.ssl.com or locate zerossl's and remove
• register a new eab
• we can see the account was different w/ old.

---

Conclusion: acme.sh must remove(rm command) old ca folder key, before re-register new eab

[Neilpang]

Conclusion: acme.sh must remove(rm command) old ca folder key, before re-register new eab

Yes, it was by design.

acme.sh remembers all the configs/parameters in its config dir, and reuse it when renewal, so that the renewal can be fully automtically.

[xiaohuilam]

Ty you for clarifying.

But as my understanding rookie, we can consider user wanna so you calling renew as the totally new initial orders. And i looked up the RFC 8555 page #51 standard it encouraged so:

   If the client wishes to obtain a renewed certificate, the client
   initiates a new order process to request one.

Maybe the only difference is the CA possibly provide FQDN challenge "cache", likely let'sencrypt 90days.

But we still can renew a cert in a new account by challenge again. Based on this I suggest to abandon old CA account credentials when acme.sh --register-account for the same CA. I think it will be risky-free, because the challenge 90 or 398 days TTL, There will be not a little impact because the FQDN challenges (NS credential, or file generation permission) won't change. and even the DNS credential/file challenge method possible fails if new order instead so called renew, it will still exposed after 90 days.