A question about expires attribute of Order Resource

test_mail_new · December 22, 2020, 5:34am

After I finalize a order by send request with csr content to /finalize API.

Then I can get this response:


{
'Content-Length': '459',
 'Strict-Transport-Security': 'max-age=604800', 
'Cache-Control': 'public, max-age=0, no-cache',
 'Server': 'nginx',
 'Connection': 'keep-alive', 
'Link': '<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"', 
'Location': 'https://acme-staging-v02.api.letsencrypt.org/acme/order/.../...', 
'Boulder-Requester': '17092284',
 'Date': 'Tue, 22 Dec 2020 03:52:47 GMT',
 'X-Frame-Options': 'DENY',
 'Content-Type': 'application/json', 
'Replay-Nonce': '0003NBeE3su_6fx2gelKMX6W6Wu7pLpevdEnd8OqWoYTII4'
}
{u'authorizations': [u'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/....'],
 u'certificate': u'https://acme-staging-v02.api.letsencrypt.org/acme/cert/......',
 u'expires': u'2020-12-28T06:31:50Z',
 u'finalize': u'https://acme-staging-v02.api.letsencrypt.org/acme/finalize/...../....',
 u'identifiers': [{u'type': u'dns', u'value': .....'}],
 u'status': u'valid'}

PARAM: expires
is 2020-12-28T06:31:50Z .

I new this order at sometime of 2020-12-21.

Must I download the certificate before this time "2020-12-28T06:31:50Z "?

griffin · December 22, 2020, 5:49am

Once you successfully get a certificate generated, I'm not sure how long the certificate download link is valid. You can always download the certificate (and the intermediate certificate) anytime you want from https://crt.sh.

test_mail_new · December 22, 2020, 6:07am

Ok, I should download the certificate as soon as possible.

aarongable · December 22, 2020, 9:03am

Certificate download links are guaranteed to be valid for the entire lifetime of the certificate, which is significantly longer (90 days) than the lifetime of the order object (one week).

rmbolger · December 22, 2020, 6:14pm

Just to be clear, that's a Boulder (as currently implemented) guarantee rather than an RFC 8555 protocol level guarantee, right? Like, that may not be the case with other ACME CAs?

aarongable · December 24, 2020, 4:12pm

Correct, nothing in RFC8555 or other regulations mandates a length of time for those URLs to work.

system · January 23, 2021, 4:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.