Can't create a challenge after it is validated on the staging environment

I'm writing an ansible playbook to renew my certificates and using the acme_certificate module to create a DNS challenge on the staging environment.

I finally got to the point where the playbook successfully creates the DNS entries and I got a certificate valid for 90 days.

I wanted to continue working on my playbook, but now I don't seem to be able to get a new challenge for my domains anymore (challenge_data and challenge_data_dns is empty), as they now have a "valid" status, even when I pass force=true when requesting the challenge.

I read that the production environment caches for 30 days, is that also true for the staging environment? If so, how can I force creating a new challenge before 30 days?


1 Like

It's true for staging, yes. But you can use Pebble, a very lightweight ACME testing server, and have full control over its behavior including whether it can reuse authorizations. I believe you set PEBBLE_AUTHZREUSE=0.


You might find this discussion helpful.


Thanks, do you mean creating a new account, or deactivating the authorization? I'd prefer the latter but not familiar enough with the ACME protocol to implement that, Ansible has this inspect module which should be able to send any possible API request.

1 Like

Yeah, might end up doing that, was just hoping to avoid learning yet another tool and running yet another container ...

There is no easy way to do this with Ansible. Something like:

- name: Deactivate authorization
    module:  community.crypto.acme_inspect
    account_key_src: "{{ role_path }}/files/account_key.pem"
    account_uri: "{{ account_info.account_uri }}"
    acme_version: 2
    url:<order id>
    method: post
    content: '{"status": "deactivated"}'

would work, but unfortunately, Let's Encrypt currently does not return the orders for an account info request, and finding out the order id is not trivial.

Also, not sure how to find out the 'authz-v3' part of the URL...

I assume you directed that to me. The thread I linked offer several options. I don't know Ansible well enough to help with the deauthorization. But, I'd think setting up a new ACME account should be easy enough.

You should segment your testing or fake responses so that you don't create hundreds of accounts. But, the account registration itself is not a large burden on Let's Encrypt.

Another option is to use a series of test domain names: test001.(domain), test002 and so on and request a cert for just one at a time. Each would need a fresh auth. I don't recommend this if you were testing against the LE production system but against LE Staging it's fine.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.