So a user of my client recent raised an issue requesting a way to retry challenge validations before giving up and needing to submit a new order (and thereby get new challenge tokens to publish). My initial recollection of how the ACME protocol works is that once you’ve asked the server to validate a challenge and it fails, it marks the challenge, auths, and order all as invalid. Subsequently, your only option is to start over with a new order. This seems to be backed up by semi-recent community threads and my own testing against the staging server.
However, section 8.2 of the recently finalized spec makes it sound like the ACME server should be allowing some amount of retries on challenges.
Clients can explicitly request a retry by re-sending their response
to a challenge in a new POST request (with a new nonce, etc.). This
allows clients to request a retry when the state has changed (e.g.,
after firewall rules have been updated). Servers SHOULD retry a
request immediately on receiving such a POST request. In order to
avoid denial-of-service attacks via client-initiated retries, servers
SHOULD rate-limit such requests.
Is this a case of the spec changing fairly late in the process and Boulder not having caught up yet? Am I interpreting things incorrectly?