Automatic recycling of pending authorizations

We’ve just enabled “pending authorization recycling.” This means that if you create a pending authorization but don’t complete it (for instance because your client crashed), the next time your client requests an authorization for the same domain name, you will get back the existing pending authorization, so long as there is at least an hour left before it expires. Pending authorizations currently expire 7 days after they are created.

There are two reasons for this change: It reduces resource usage from clients operating in a crash loop. More interesting for most users, it should dramatically reduce the risk and impact of getting into a “too many pending authorizations” rate limited state.

It used to be the case that if a client was crashing, or more rarely if there were network failures between a client and Let’s Encrypt, it was possible to “leak” a large number of pending authorizations and hit the rate limit. For technical reasons, the rate limit’s window is the same as the pending authorization lifetime, 7 days. Which often meant a long and painful wait for the rate limited state to clear. Now that shouldn’t be as much of an issue. Clients that automatically retry will pick up the leaked pending authorizations on their next attempt and complete them. Generally speaking no code change should be necessary.

Note that this is similar to, but not the same as, the valid authorization recycling implemented in July 2016. That recycling applied to authorizations that had been already validated, not pending authorizations.