I would like to confirm this because the behavior was different from what I expected when renewing the certificate.
When I made a previous certificate request, a token was issued,
This time the renewal was completed without a token being displayed.
I checked the expiration date, and it was 3 months later.
I am concerned because the behavior is different, but is it OK?
$ sudo certbot certonly --manual --domain **** --email **** --agree-tos --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for ****
Performing the following challenges:
dns-01 challenge for ****
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
**** with the following value:
***********************************************
(This value was assumed to be output.)
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/****
Your key file has been saved at:
/etc/letsencrypt/live/****
Your certificate will expire on 2023-04-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo certbot certonly --manual --domain **** --email **** --agree-tos --prefer red-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for ****
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/****
Your key file has been saved at:
/etc/letsencrypt/live/****
Your certificate will expire on 2024-01-02. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Valid authorizations are cached for (currently) 30 days.
If you tried to renew WAY too early, then yes, you wouldn't have to re-do the challenge again.
However, Let's Encrypt recommends to renew 60 days into the validity of the certificate by which time the earlier validated authorization isn't cached any more.
I see that I do not have to try again if it is cached.
I just checked the log,
I am thinking that it may not be cached since the previous renewal was on July 11 and this one was on October 4.
Also, I renewed the certificates for the redundant servers this time,
The first server did not display the token, but the second server did, so I don't know the cause of this problem either.
Authorizations are only valid for the associated account. If your second server uses a different account, this would require new authorizations.
It would be highly unlikely (and reason for a great incident) that LE issued a certificate without valid authorization. Issuance is automated and uses a single piece of software (Boulder) and while you never can't say never, it's almost impossible that you had a certificate issued without an authorization which had been validated in the past 30 days.
Please provide your domain name (exact hostname for which the certificate was issued) so we can check with the public (!) certificate logs.
I checked the archive directory and no update was made within three months of October 4 .
(October 4 09:21 update is the event we are checking this time.)
I wouldn't say that.
I see the most recent issuance involves two certs - having been issued on the same day [14 minutes apart]:
[that looks very much like manual intervention]
As you indicated, there may have been a problem with the translation.
Let me explain the circumstances again.
When we responded to the certificate renewal at 09:21 on October 4,
I had assumed that a challenge would occur,
"Renewing an existing certificate for ****" was displayed.
Therefore, at 09:35 on October 4, we renewed the certificate again to see if a challenge would occur.
I don't think we can say much more without further details. You would need to post the full logs from when you got cert4 at 09:21 on Oct4. The logs are in /var/log/letsencrypt
As noted by the other volunteers, the request which for cert5 would not have required a fresh token as Let's Encrypt caches successful results for 30 days. (also see this Let's Encrypt FAQ)
Another possibility is you have another machine using this same Let's Encrypt account to get certs. The cache is per-account, not per-machine. Use a tool like https://crt.sh to see your cert history to see if another cert was issued within 30 days of Oct4 cert.
Had you provided your actual domain name we would have checked this already. You are just making this more difficult by not sharing essential information.
What happens if you try a request now? Does it prompt for a new TXT value? It should since you are past the 30 day cache since your last cert.
We verified that the certificate was renewed on another machine with the same Let's Encrypt account.
Therefore, it appears that there was no challenge.
Thank you all for your help. It has been very helpful.