Reuse of ACME authorization object


I noticed that when I issue an ACME newOrder request, existing authorization object that is "valid" or "pending" is attached to the newly created order.
If an order only contains this valid authorization, it is created in "ready" state.
The problem is that in my case, the authorization, even valid, expired 5 days ago. Is it normal then to reuse it in new orders ?


If I read RFC 8555 correctly, this shouldn't be possible.

According to section 7.1.6 of RFC 8555, the status of an authorization (authz) should be updated to "expired" once the time is after the "expires" timestamp.

Can you provide more info, e.g. complete logs including the objects? Which ACME client are you using/developing (source code available on Github?) and which ACME server are you using?


My apologies, I misread, the authz expires next month!


Note that Let's Encrypt extends the lifetime from 7 to 30 days after it has become valid (i.e. the expires field is updated). If your client assumes that the authorization lifetime is still at its original 7 day value, the dates will be different from the actual lifetimes used by the CA.


That would be the result of either hardcoding the 7 days validity or storing the previous "expires" value somewhere, both which shouldn't be necessary.


By the way, why the lifetime of a valid authz is extended ?

This allows LetsEncrypt to re-use the valid authorizations for 30 days across other orders for the same account key. I believe this is how they cache valid authorizations. FAQ - Let's Encrypt

Not all ACME Servers / CAs will do this. It's an optimization LetsEncrypt decided to implement because the Baseline Requirements let them.


And also note that Let's Encrypt is contemplating changing this behavior.


I forgot another technical detail:

LetsEncrypt will often re-use objects, but the object re-use between Boulder and Pebble operate differently – so if you're testing locally on Pebble, you might get completely different behavior under Boulder.

If you're testing locally on Boulder, you may want to run the testsuite again on Pebble to ensure you can handle multiple scenarios the RFC allows.

Orders, Authorizations and Challenges may be re-used under specific situations on each platform. There are a handful of threads in the client-dev section that address different re-use objects and scenarios.


When the order becomes "ready", does its lifetime be extended also ?

Not that I have seen, but someone else may have better knowledge of the current implementation.


No, the order lifetime does not change.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.