I have a own ACME what was working for a half year. Now if the script tries to validate the domain every thing looks good, but the date returned by Letsencrypt is the same date it already had, (3 days left.) It looks like every thing is in order but the the date is not updated.
This is the resonse of the latest 2 calls combined in one:
If your account key is associated with a valid authorization for your FQDN and that authorization is valid for at least another 24 hours, the CA server does not generate a new authorization (with a new expiration date), but rather reuses the existing one (in order not to have tons of unnecessary database rows with authorizations for the same FQDN).
This is independent from the certificate expiration date; that one's still 90 days from the date of issuance either way, even if the authorization might have expired by then. It just has to be valid (and non-expired) at the time of issuance.
This was implemented back in June, see the full announcement here:
The expiration date of authorizations does not really play a role in your renewal schedule, other than the fact that you’ll have to ensure you actually have a valid authorization when you decide to renew (with “renew” actually meaning just issuing another certificate, it’s the same operation you used to obtain the certificate initially). The authorization object is basically nothing more than a document saying that you’ve passed the ownership challenge.
Your renewal schedule should probably be based on the notAfter field in the actual certificate. That’s what browsers look at when deciding if a certificate is still valid. I don’t think that date is available as part of any ACME API as a separate field; it’s just part of the X.509 certificate. certbot, for example, renews 30 days before the expiration date so that there’s plenty of time left in case something goes wrong during renewal and manual intervention is needed, or in case Let’s Encrypt is down for a while. That’s a good default, but not something that Let’s Encrypt enforces, so you may of course pick your own schedule if something else fits better.
Yep, that's really all you need. You don't really care about an expired (or close to expiring) authorization until the certificate needs to be renewed. The certificate will remain valid until its own expiration date independent of that.