Certificate renewed without challenge?

Running certbot with --manual-auth-hook true (or cat) renewed my wildcard cert without any challenge/authentication.

My domain is: *.goldstein.rs

I ran this command: sudo certbot renew --manual --preferred-challenges=dns --force-renewal --manual-auth-hook true

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/goldstein.rs.conf


Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate for *.goldstein.rs


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/goldstein.rs/fullchain.pem



Congratulations, all renewals succeeded:
/etc/letsencrypt/live/goldstein.rs/fullchain.pem (success)


The operating system my web server runs on is (include version): Linux srvr 5.10.6-arch1-1 #1 SMP PREEMPT Sat, 09 Jan 2021 18:22:35 +0000 x86_64 GNU/Linux

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Since your last certificate was issued less than 30 days ago, the authorization was still cached and thus no challenge was needed.

--manual-auth-hook requires a script to be given afterwards, not a boolean value.

You might want to consider including goldstein.rs in you certificate (like you did back in December) as *.goldstein.rs does not cover it.

https://crt.sh/?Identity=goldstein.rs&deduplicate=Y

1 Like

true is not a boolean value, it's a shell command that does nothing.

So if I renew cert every 3 weeks I never need to pass challenge?

1 Like

No, renewing without actually getting a new valid authorization doesn't magically "reset" the validation date of the cached authorization. The cached authorization will still expire 30 days after it was ("initially") validated and a new authorization will be necessary, regardless of renewals in between.

1 Like

Nope.
The cache expires around 4 weeks after the challange was passed the first time.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.