Changing challenge types for renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
I'm not using certbot, I am testing out an in-house Java application I'm building that uses to communicate to Let's Encrypt's staging environment 'acme://'. In the initial test I received the three challenge types as expected and completed the dns challenge and obtained the certificate.
Minutes later I then attempted to test a renewal by initiating the same flow. I expected to see three challenge types again but only see the DNS challenge type returned. I am hoping to obtain the certificate with a DNS challenge and then renew using the HTTP challenge and want to know if this is even possible. If it is possible, is there some time cutoff I need to wait before testing the renewal with a different challenge type?

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

This is likely because the ACME server returned an authorization which was already valid:

Once you successfully complete the challenges for a domain, the resulting authorization is cached for your account to use again later. Cached authorizations last for 30 days from the time of validation. If the certificate you requested has all of the necessary authorizations cached then validation will not happen again until the relevant cached authorizations expire.

Boulder doesn't include the other challenge types when responding with an authorization which is already valid. They can serve no purpose, after all.

If you use a new ACME account, or deactivate the existing authorization before creating a new order, you should see all three challenge types again.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.