Not at all - it just means that you need to create a new authorization which will pass.
When you create the first certificate (the library in the backend) you create an authorisation which is stored for a limited time and is what is the library uses to tell Boulder (LetsEncrypt) what it should check.
I am focusing on Certbot on Windows at the moment so have not had as much time to review the ACMESharp Library.
It is something that catches a lot of people out. There is no “renewal” as such. What you are actually doing when you renew a certificate is issuing a new certificate (whether it’s a paid CA or LetsEncrypt). The term renewal is often used to make it simpler to understand.
From this Github issue: https://github.com/ebekker/ACMESharp/issues/57
ebekker commented on Feb 14
The early versions of the ACME protocol actually did account for optional support by the CA for renewals and many moons ago, when an Identifier validation (i.e. a validated DNS name) actually lasted more than a couple of months, it was possible to perform a true renewal, but because that was not necessary to support a working ACME client, it was not initially implemented.
Just as @AHandless indicated, as the ACME spec has evolved, they actually simplified this area and eliminated the renewal support in the protocol, and likewise the actual LE CA implementation shortened the life of an Identifier validation period so that it expires after only a couple of months. Since the validation period is now shorter than the life of an issued certificate, it effectively requires that you re-validate each time you renew your certificate.
(In retrospect, it was a good thing that true renewals were not implemented as that would have been wasted work since it’s no longer supported or allowed.)
Renewals are now exactly the same as new requests. You need to validate the Identifier (i.e. the DNS name) with each renewal just as the new request, and then you need to request a new certificate with the validated Identifier. There are numerous references in tickets and the wiki that point you to other folks’ work that simplifies this process, either manually through video tutorials or even scripts that will automate this for you.
I do eventually plan on adding native support to the ACMESharp tools to make this process easier, but there is lots of community-provided support already there to make it usable.
masbicudo commented on Feb 18
I am trying to revalidate the domain as you suggested. When using CompleteChallenge, I use Force and Regenerate flags, but the challenge is the same as the previously already validated one (same key and same well-known path). Then I call SubmitChallenge, also with Force. Do I need to complete challenge again? Or just calling SubmitChallenge is enough?
ebekker commented on Feb 25
You need to execute Complete-Challenge again.
mamama1 commented 18 days ago
To sum things up - you are saying, that after about 60 days, when the certificate is about to expire within the next 30 days, I have to revalidate my ACMEIdentifier to request a renewal certificate, right?
So to accomplish this, I won’t do “New-ACMEIdentifier” again, because I already have one, right?
Complete-ACMEChallenge "myAlias" -ChallengeType whatever -Handler whatever
do whatever needs to be done for the challenge to be successful (dns entry or whatever)
Submit-ACMEChallenge "myAlias" -ChallengeType whatever
wait until status is valid
Request new Certificate using New-ACMECertificate and Submit-ACMECertificate as usual
Did I miss something or is this right now the way to go to renew certificates?
I have finished automating the request of new certs using DNS challenge (my DNS offers an XML interface I can use with “Invoke-WebRequest”) and now I’d like to finish automatic renewal.
ebekker commented 18 days ago
Read my comments above – there is really no longer any distinct renewal* operation because of the current expiration times, so you need essentially need to start with the very beginning of the process (except for the account registration) every time, so begin with New-ACMEIdentifier. You can’t issue Complete-ACMEChallenge with being presented with a set of challenges which is what New-ACMEIdentifier does.