Right now AcmeIssuingService._check_certs tries to renew any certificate found in the PEM objects for a server name.
I think is safe to assume that the targeted certificate is only the first one, and the rests are just CA certificates from the chain.
The other certificates can be checked for expiration, but I think that txacme can fail right away without trying to renew them, as they are not certificates that we own.
The CA chain might be expired, so the storage has invalid data... and maybe the storage itself can validate it.
Also in terms of storage errors, if due to an error, the PEM object don't contain any certificate and just a private key the cert is not added to the panicking list.
I think that we should also raise an error here... but maybe on the storage level.
Right now AcmeIssuingService._check_certs tries to renew any certificate found in the PEM objects for a server name.
I think is safe to assume that the targeted certificate is only the first one, and the rests are just CA certificates from the chain.
The other certificates can be checked for expiration, but I think that txacme can fail right away without trying to renew them, as they are not certificates that we own.
The CA chain might be expired, so the storage has invalid data... and maybe the storage itself can validate it.
Also in terms of storage errors, if due to an error, the PEM object don't contain any certificate and just a private key the cert is not added to the panicking list.
I think that we should also raise an error here... but maybe on the storage level.