We've seen that LetsEncrypt rejects issuing two different certificates for the same CSR under the same account even if the private key for the certificate is different.
I've been able to trigger this manually here: https://phabricator.wikimedia.org/P7711:
- A new certificate for pinkunicorn / ec-prime256v1 is requested in line 8
- in line 16 shows that the certificate has been issued as expected
- in line 17 requests a new certificate with a new private key (https://github.com/wikimedia/certcentral/blob/master/certcentral/certcentral.py#L393-L395) for pink unicorn / ec-prime256v1
- this time in line 25 instead of getting CertificateStatus.VALID we end up with CertificateStatus.CHALLENGES_PUSHED
- We attempt to handle the CHALLENGES_PUSHED status in line 26 but we end with a 400 response from LE, notifying us that the order is already in "valid" status and we shouldn't ask for an order finalization.
Currently this results in an infinite loop in certcentral, on every certificate_management() loop iteration, it's going to attempt to get the certificate, and LE would always reply with the same 400 error.
Taking into account that currently certcentral1001 and certcentral2001 share the same LE account, this collision could happen between servers.