I’d like to know what is the recommended practice regarding user registrations for a service that manages several certificates for different domains (e.g. hosting provider or service/library) and customer.
I noticed that:
- if you hit the new-reg with a <key,contact> pair that already exists, LE rejects the registration with a 409 (per the ACME policy)
- if you hit the new-reg with a <key,contact> pair where the contact already exists (e.g. same email) but the key is different, a new user is registered (and that was surprising to me, I can essentially have infinite users with the same email but different keys)
What is then the recommended practice in this case? Should I:
- issue a new registration for each customer, and use it for the domains connected to the customer
- issue a new registration for each domain
- issue a new registration once, as a single account, and reuse the same account to request the certs for each domain and customer?
What’s the current policy adopted by the official client?