Certificate type vs. challenge type


#1

Hi.
Is there any relation between certificate type (domain, SAN, wildcard) and requested challenge type (HTTPS, DNS)? In other words, is there any limitation that for some certificate type only one challenge type is applicable?
Thanks,
Petr


#2

Yes, for wildcard certs you must use DNS authentication.
A SAN cert is just a combination of names in one cert - so that depends on the type of names. If any are wildcards then DNS auth will apply to them.


#3

Thanks, rg305!
It means for SAN certs without wildcards you can use both type of challenges, right?


#4

Yes.
Only wildcard certs (or wildcard entries in SAN certs) will require DNS auth.


#5

Hi @petr.sob

but it’s possible to combine wildcard and non-wildcard domain names in one certificate.

And combine dns-challenge and non-dns-challenge to get one certificate.

I use this - *.example.com + example.com, first per dns-01, second per http-01 - validation.

So I don’t need two dns-entries with the same name.


#6

And can it sometimes happen that Lets Encrypt sends me only DNS challenge requirement (not HTTPS) even if certificate request is domain/SAN (without wildcards)? Can I rely on the fact, that HTTPS will be always a validation option, so I need not to implement DNS modification?


#7

Once a cert is obtained, it will renew using the same authentication method.
It won’t switch methods on renewals.
You would have to “force” it, for it to use another authentication method.


#8

And with new certs? Can I be sure that HTTPS challenge will always be an option?


#9

Use the preferred-challenges - option.

And use an authenticator with http-01 - support.


#10

Note: you’re mentioning HTTPS, but http-01 requires access to port 80, the HTTP-port (without the S).


#11

Not currently.

Yes, for now.

No one can make promises about what Let’s Encrypt or the web PKI will look like ten years from now – or even tomorrow, if there’s a security incident – but it’s common and supported for people to only implement and use HTTP-01.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.