I used to have automatic renewal process working when I relied on webserver challenge authentication process. What I meant is that I had a webserver configured so that renewal process on the webserver and letsencrypt server can communicate.
Recently I started using DNS challenge and the auto renewal process is not working anymore. I can get a new certificate issued after setting up required DNS records. I had originally assumed that once a required DNS record is set up and so long as I do not delete or modify the record, I do not need to make any further adjustment to DNS to renew the same certificate. This is also based on my experience with AWS issued certificate process where once a DNS challenge record is set up subsequent renewal requires no human intervention.
Please correct me if I am mistaken that renewal to certificates issued by DNS challenge record requires an update to the existing already working DNS record.
If this is the case, I believe it is less secure than relying on a fixed DNS record.
- It forces the administrator to deploy DNS related credentials to the machine running renewal. Without this requirement to update DNS record upon renewal, admin can deploy DNS record the first time using semi manual process (eg. code reviewed terraform changes) and all subsequent renewal require no human intervention. In a modern devops organization, DNS records are controlled by infrastructure as code and code changes are subject to human reviewers. It is not trivial nor practical to automate human code review process.
- If administrator is forced to deploy DNS related credentials (in my case the permission to change route53 API), these credentials have potential for compromise
- With additional configuration complexity, administrator could make some mistake in DNS server automation and increase security vulnerability. For example, instead of relying on a minimal privilege, administrator could take the easy route of simplest and possibly maximal permission to the automation process.
- With additional configuration complexity, administrator could opt not to rely on DNS challenge
If I have made a mistake in understanding how it works, please point out to me.
At this point, I have to decide whether to revert back to webserver challenge or dig into how I can fully automate DNS challenge renewal.