acmeproxy
acmeproxy copied to clipboard
"Early renewals" expose CAA handling bug
It's possible to request an "early renewal" where LE just checks the CAA record but doesn't require re-publishing a challenge. Currently this results in NXDOMAIN, and LE refusing to issue the cert.
Fix this by allowing CAA lookups for any expired challenges, but not the challenge responses.