Certificate renewal switching from dns to http

Hey there!

My domain is: dennisschuerholz.de

My operating system is (include version): Debian 8.5
My web server is (include version): Apache 2.4

I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no

This is a clone of my question at serverfault I recently switched from dns challenge type back to http. Now the certs which where initially optained through dns challenge can no longer be renewed using http - the old ones (optained through http) work fine.
Complete JSON-Objects got posted at the serverfault question.

I read that starting with tls-sni I cannot switch to http nor dns but why can’t I use http again after issuing with dns? I hope someone can explains this to me and (ideally) solve this problem together with me.

Best regards, Dennis

Hi Dennis,

I suspect this is related to the topic – Upcoming change: valid authz reuse

Once a domain has been validated, that authorisation is remembered for a period of time ( 90 days currently I believe), so requesting via a different type of challenge ( http in your case) will result in always getting a “pending” unless the script takes notice of the “status”:“valid”. I’d suggest opening this as an issue on the dehydrated site. It should recognise the valid status, and simply obtain a new certificate.

2 Likes

As a workaround, moving to a new ACME account should allow you get rid of your existing authorizations so that you can test the http-01 validation. I believe these steps should work (not too familiar with that client, but this should force the client to create a new account).

1 Like

Thanks for your help!

I managed to write a hotfix to dehydrated which allowed me to fulfil the requirements and skip the challenge-response if it’s not needed.

You could also ask for Dehydrated to support deactivating a valid authorization. If the existing authorization is invalidated a new request to authorize the domain by http-01 would be fully processed.

@dennisschuerholz glad you got things sorted out! Would you be so kind as to update the Stack overflow question to have an answer and a pointer back to this thread? I’d hate for any wayward souls that find the Stack Overflow version first to be left hanging :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.