Stefan Eissing

In the logs you provided I see that you have `MDMustStaple on` configured. This means that the CA should set this extension in the certificates it creates for you. However...

There it is: https://community.buypass.com/t/60h8l7f/support-for-ocsp-must-staple This is a bug on their side. If a client submits a certificate request with `must-staple` set, they can deny it, but they should not pretend...

I agree, if the code could find out that this is the case and not an error on the CA side.

Yes. What I did already is to tell the reason why a renewal is done. So, in the future, one will see that a new cert is requested because the...

In such a setup, with a shared fs, you are asking for trouble when you reload 2 or more cluster nodes at the same time. All reloading instances will try...

Looking at my code in this light again, the overall strategy is on a start/reload: 1. look if there is a `staging/mydomain` with all data needed 2. copy over all...

Would be nice if you could try [v2.4.18](https://github.com/icing/mod_md/releases/tag/v2.4.18) with the new `MDStoreLocks` directive. If that works nice in your setup, maybe we could also add such locking for renewal attempts.

@moschlar maybe this escaped your notice. Could you test if the new version addresses the restarting in your cluster?

> Apache 2.4.54 only ships with v2.4.17, but would love to test `MDStoreLocks` this when it drops. I am assuming the approach used is compatible with NFS 4's native file...

No, I'm afraid there is no functionality for changing an existing account on the ACME server. If you remove an account in the file system, a new one will be...