Authorization recycling


#1

Has this authorization validity period changed recently from 10 months to 1 day? Am experiencing a few issues due to this on my client implementation. Please confirm this and if it is related to following the new ACME draft-04. Is there a way to receive notifications on such changes so that we may modify our independent implementations/integrations of the LE Client, when needed? Often times, we’re only able to identify a breakage on our side due to a modification in the LE server implementation, after the fact. Even if you don’t consider the change to be backwards-incompatible, it may still break something depending on how we’ve integrated the client.
And since ACME is still evolving, we can be sure to expect the server-side to have lots of implementation changes. I would greatly appreciate it if there was an easy way to receive notifications or somehow follow each change made on the LetsEncrypt server side, in order to avoid such situations in the future.

Thanks


Renewal process
#2

No,

Which validity period are you referring to ? There are 2 periods that I’m aware of. One is the period which I assume you are referring to i.e. the period within which, having authorized a domain with your account key, you are able to a cert without re-authorizing. This period is currently 60 days. The other period is the time between asking for a token, during which you can authorize with that token.

I’d suggest checking the divergences from the ACME draft-04 - https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md

I’d suggest subscribing to the API announcements category https://community.letsencrypt.org/c/api-announcements


#3

Thank you for the quick reply! I’ll subscribe myself to that.

However, when I recently authorized a domain with a new authorization token today, the authorization URI containing the details such as the identifier value, which challenges were used and each challenge’s status, the authorization validation status, and authorization validity expiry etc, states the following:

“status”: “valid”,
“expires”: “2016-12-20T08:51:55Z”

If it was 60 days, then wouldn’t the above value for the “expires” key be mentioning at least 2017…?


#4

Was this a brand new domain / authorization ? or one that was authorised and renewed approx 60 days ago ?


#5

@keerthi, you’re probably seeing the “Automatic recycling of authorization objects” part of the API changes we made in August.


#6

Thanks for the help, both @serverco and @jsha !

Figured out what was causing the issue: it was a combination of the authorization recycling and a bit of confusion with the account user key pair I’m using on my side. After some changes to the account user key for testing purposes, I had reverted it back to the original one, but with a difference of a newline character by mistake. While LE thought I was trying to validate already authorized and valid domains and so returned the same authz object, my code thought I was trying to authorize domains for an entirely new user account key, while I thought that I was actually getting a new valid authorization object with extended expiry for my domain. And all this done using a domain whose authorization coincidentally expires the next day, which threw me since I had been unaware of the change from 10 months to 60 days for the authorization validity period.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.