}

    @Test
    @DisplayName("Should renew credentials when they are renewable and renew() returns new credentials")
    void testRenewCredentials_RenewableAndRenewed() {
        // Set up the wrapper with renewable credentials
        wrapper = new CIFSContextCredentialWrapper(mockDelegate, mockRenewableCredentials);
        when(mockRenewableCredentials.renew()).thenReturn(mockRenewedCredentialsInternal);

        }
    }

    @Test
    @DisplayName("renew: invokes getSubject and returns self")
    void testRenewInvokesGetSubjectAndReturnsSelf() {
        JAASAuthenticator auth = spy(new JAASAuthenticator());
        // Avoid real JAAS by stubbing getSubject
        doReturn(new Subject()).when(auth).getSubject();

        // Act
        CredentialsInternal result = auth.renew();

        // Assert interaction and return value

<img src="/img/deployment/https/https.drawio.svg">

The **TLS certificates** are **associated with a domain name**, not with an IP address.

So, to renew the certificates, the renewal program needs to **prove** to the authority (Let's Encrypt) that it indeed **"owns" and controls that domain**.

                }
            } else {
                if (!this.ctx.renewCredentials(loc.getURL().toString(), sae)) {
                    throw sae;
                }
                log.debug("Trying to renew credentials after auth error");
                try (SmbSessionInternal s = trans.getSmbSession(this.ctx, treesess.getTargetHost(), treesess.getTargetDomain())