Daniel McCarney

> put the private key in a logs seems unsafe. To start with I think the JWS and the account public key needed to verify the JWS would be sufficient.

> Also worth noting: In term of translation into ACME, it probably makes sense for the authorizations to be for a different identifier type (e.g. onion) since it's not verified...

> Since the v3 address specification addresses those weaknesses there is now a proposal in the CABF validation working group in the works by Wayne Thayer of Mozilla to change...

> I think update wfe1 and 2 to send full identifiers to RA, and update RA do deal with it. @orangepizza One thing I forgot to mention on the forum...

@459217974 Please respond to the new issue template questions that you deleted so that we can help: ### Expected behavior: ### Actual Behavior: ### Steps to Reproduce: 1. [ contents...

> Sorry I did not follow the template to submit the issue, but that template may not be suitable for my problem. No problem. Please always try to fill out...

@459217974 Could you also run this command on your Streisand server for me and share the output? `openssl x509 -in /var/lib/acme/live/ss.unpython.com/cert -noout -startdate -enddate`

@459217974 One last question: Did you manually renew the certificate already? I see a currently valid certificate right now: ``` openssl s_client -connect ss.unpython.com:443 /dev/null | openssl x509 -noout -startdate...

> I renew the certificate by myself with certbot. l will provide more information tomorrow. OK! I'm glad you got a working certificate! This will make debugging trickier but I'll...

@Barafu Thanks for sharing that detail - that's interesting! Acmetool shouldn't require any action for an existing account when Let's Encrypt changes the terms of service. In a perfect world...