I successfully renewed a certificate but validation didn’t happen
this time - how is that possible?
Once you successfully complete the challenges for a domain,
the resulting authorization is cached for your account to use again
later. Cached authorizations last for 30 days from the time of
validation. If the certificate you requested has all of the necessary
authorizations cached then validation will not happen again until the
relevant cached authorizations expire.
Is this quote derived from the service specification of Let's encrypt?
Or, is there any reference such as IETF draft describing about this?
(As long as I looked up, I couldn't find other helpful references.)
(The Baseline Requirements all CAs in the web PKI must follow do limit how long CAs can reuse validation information.)
“30 days” is a configuration detail of Let’s Encrypt. It may change in the future.
An ACME client will always know the date and time things expire, but it can only deduce the rules by which the CA might have chosen said date and time.
Edit: An ACME client should always assume it may have to validate, and proceed how the server wants it to.