I’m finding a bunch of authzs that simultaneously have a status of pending with an expires in the distant past.
Some examples:
- https://acme-v01.api.letsencrypt.org/acme/authz/FjalwvUkPSfE37wC5rqDo2fytFuF2FSQpEFJJ2HlTUw
- https://acme-staging.api.letsencrypt.org/acme/authz/FAUrVS_uLudj1lMim1_3SdY4prdnbHXs-0vSKTFGfHI
A (had been) relying on the status field to indicate whether the authz was usable, on the assumption that (pending + expired) = invalid.
Is it the intent that clients should pay attention to the authz expiry as well? Boulder seems to count pending authorizations with an expires > clause, so I am guessing maybe yes?