First fulfil all challenges then tell the CA that it should check. With a CSR with multiple SANs acme-client would write one challenge, tell the CA, write the next challenge and so on.
For http-01 this doesn't matter but I think this will be nicer for dns-01 because there are propagation delays to consider. Please be extra careful checking this. If I mess this up people might run into renewal issues months from now. And when that happens people tend to comment... (Which I also pull this out of the big diff I'm currently working on for dns-01.) OK? diff --git netproc.c netproc.c index 38732a4dd01..7c502643acc 100644 --- netproc.c +++ netproc.c @@ -840,7 +840,12 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, if (readop(Cfd, COMM_CHNG_ACK) != CHNG_ACK) goto out; - /* Write to the CA that it's ready. */ + } + /* Write to the CA that it's ready. */ + for (i = 0; i < order.authsz; i++) { + if (chngs[i].status == CHNG_VALID || + chngs[i].status == CHNG_INVALID) + continue; if (!dochngresp(&c, &chngs[i])) goto out; } -- I'm not entirely sure you are real.