I’m writing my own little ACME client, and it works quite well so far. It uses the DNS challenge in the staging environment. I’m able to create accounts and successfully issue and verify new certificates.
Now I want to implement the renewal functionality. But once an order has been finished, LE always provides the existing certificate, without re-validating the challenges. I know this is intended, but I want to test the renewal and therefore I need re-validating.
My understanding so far is: Protocol-wise there is no difference between issuing and renewal. When a cert is 60 days old, I get a new challenge. Am I wrong with this?
How do I force re-validation and therefore simulate renewal when my cert isn’t 60 days old?
That's what I do. I generate a new CSR and place a new order. But LE still considers my domains as verified and doesn't give me new challenges.
The only way to re-test the verification seems to be creating a new account every time. But this can't be intended. I need to implement/test renewal on an existing account without waiting 60 days.
I feel stupid since this seems to be a very basic problem and I just don't get it.
The “expires” field of an authorization shows when it will expire. Let’s Encrypt currently sets valid authorizations to expire after 30 days, but this could change in the future.
If you want to get rid of an authorization ahead of time, it can be deactivated. You either have to implement that, or switch accounts.