From my understanding of the ACME spec and the boulder/pebble implementations…
- Once a Challenge fails, it’s status is marked “invalid” and it may not be triggered again.
- Assuming a client is only supporting http-01 authorization, once that challenge status transitions to “invalid”, the order is essentially “invalid”. To retry the authorization/challenge for the domain, a client must request a new order.
- The Acme Server may recycle the Authorization Objects and/or Challenge Objects, but they will be part of a new order.
Is that correct?