Renewals always have replaces= set?

[uschwarz]

Even with MDRenewViaARI off and "ari-renewals": false in the corresponding md.json, orders have the replaces attribute set.

This is unfortunate, RFC9773 says "Clients SHOULD NOT include this field if the ACME server has not indicated that it supports this protocol by advertising the renewalInfo resource in its Directory." and we do indeed use a CA that rejects these requests since they do not offer ARI.

Only "workaround" I have found so far is to either manually remove all traces of the currently-used certificate (i.e. in domains/ and archive/) or rotate the ServerName.
I guess ad_setup_order() might be a good place to check for that? (I'm sorry, I'm not fluent enough in httpd conventions to see what is easily visible where.)

[md:trace2] [pid 25343:tid 25346] md_acme.c(713): response: {\n  "newNonce": "https://acme-v02.harica.gr/acme/…/new-nonce",\n  "newAccount": "https://acme-v02.harica.gr/acme/…/new-acct",\n  "newOrder": "https://acme-v02.harica.gr/acme/…/new-order",\n  "revokeCert": "https://acme-v02.harica.gr/acme/…/revoke-cert",\n  "meta": {\n    "termsOfService": "https://repo.harica.gr/documents/SA-ToU.pdf",\n    "website": "https://www.harica.gr/",\n    "caaIdentities": [\n      "harica.gr"\n    ],\n    "externalAccountRequired": true\n  }\n}
[…]
[md:trace1] [pid 25343:tid 25346] md_acme.c(244): acme payload(len=748): {"identifiers":[{"type":"dns","value":"…"}],"replaces":"6Z…DA"}
[md:warn] [pid 25343:tid 25346] (22)Invalid argument: acme problem urn:ietf:params:acme:error:malformed: ARI Feature not enabled

[icing]

Thanks. Could you check if #407 does the right thing for you?

[uschwarz]

It didn't blow up in my face and successfully renews in the case that's easy for me to trigger (new ServerAliases.)
thanks so much!

[icing]

Thanks. Merged into master for the next release.