DNS Validation - How long valid for? Renewals requiring TXT record change


#1

Hi All,
I use le64.exe to generate my certificates, this works great and I have scripted the process.

When I first used this I tested about a week later and it renewed fine and gave a new certificate, however, when I try to renew my certificates today (using the same script) it prompts me to set a DNS TXT record.

How long does LetsEncrypt consider the DNS validation valid for - Updating the TXT record is a manual process so negates the benefit of scripting this to be automatic.

2018/05/20 14:31:21 [ ZeroSSL Crypt::LE client v0.31 started. ]
2018/05/20 14:31:21 Loading an account key from LetsEncryptKey.txt
2018/05/20 14:31:21 Account key loaded.
2018/05/20 14:31:21 Loading a CSR from perth_and_wildcard_perth.csr
2018/05/20 14:31:21 Loaded domain names from CSR: mydomain.co.uk, *.mydomain.co.uk
2018/05/20 14:31:21 CSR loaded.
2018/05/20 14:31:21 Checking certificate for expiration (local file).
2018/05/20 14:31:21 Expiration threshold set at 180 days, the certificate expires in 58 days - will be renewing.
2018/05/20 14:31:23 Directory loaded successfully.
2018/05/20 14:31:23 Registering the account key
2018/05/20 14:31:23 Key is already registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/30891302.
2018/05/20 14:31:23 TOS has changed, you may need to accept it again.
2018/05/20 14:31:23 Account ID: 30891302
2018/05/20 14:31:23 Registration success: TOS change status - 1, new registration flag - 0.
2018/05/20 14:31:23 The key is already registered. ID: 30891302
2018/05/20 14:31:23 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2018/05/20 14:31:23 Accepted TOS.
2018/05/20 14:31:23 Current contact details: ZeroSSL@myemail.com
2018/05/20 14:31:24 Could not finalize an order.
2018/05/20 14:31:24 Requesting challenge for domain mydomain.co.uk.
2018/05/20 14:31:24 Received challenges for mydomain.co.uk.
2018/05/20 14:31:24 Requesting challenge for domain *.mydomain.co.uk.
2018/05/20 14:31:24 Received challenges for *.mydomain.co.uk.
2018/05/20 14:31:24 Requested challenges for 2 domain(s).
Challenge for ‘mydomain.co.uk’ requires the following DNS record to be created:
Host: _acme-challenge.mydomain.co.uk, type: TXT, value: MUcz5d_ahRC03e4tY7TbsadaqTdR0-fj1idKIesp0o
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.mydomain.co.uk
When you see a text record returned, press

Challenge for ‘*.mydomain.co.uk’ requires the following DNS record to be created:
Host: _acme-challenge.mydomain.co.uk, type: TXT, value: EnPPdReq55DRlzo5gV2sFVnmMzU1lXg1-bJkdoxMI-Q
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.mydomain.co.uk
When you see a text record returned, press

2018/05/20 14:31:40 Accepted challenges for 2 domain(s).
2018/05/20 14:31:42 Processing the ‘dns’ verification for ‘mydomain.co.uk
2018/05/20 14:31:42 Domain verification results for ‘mydomain.co.uk’: error. Incorrect TXT record “38sfguC4OovmrFYygDeasdasdhS50ZKFGnWw1DP_k” found at _acme-challenge.mydomain.co.uk
2018/05/20 14:31:42 You can now delete ‘_acme-challenge.mydomain.co.uk’ DNS record
2018/05/20 14:31:42 Domain mydomain.co.uk has failed verification (status code 200).
2018/05/20 14:31:44 Processing the ‘dns’ verification for ‘.mydomain.co.uk’
2018/05/20 14:31:44 Domain verification results for '
.mydomain.co.uk’: error. Incorrect TXT record “38sfguC4OovmrFYygDeasdasdhS50ZKFGnWw1DP_k” found at _acme-challenge.mydomain.co.uk
2018/05/20 14:31:44 You can now delete ‘_acme-challenge.mydomain.co.uk’ DNS record
2018/05/20 14:31:44 Domain *.mydomain.co.uk has failed verification (status code 200).
2018/05/20 14:31:44 All verifications failed
2018/05/20 14:31:44 All verifications failed

Thanks in advance!


#2

Validations are quite short lived, only a few days (or even shorter nowadays). Every time you renew (after 60 days for example, as recommended by LE), you’ll have to revalidate the domain.


#3

See the FAQs: https://letsencrypt.org/docs/faq/
I successfully renewed a certificate but validation didn’t happen this time - how is that possible?
Once you successfully complete the challenges for a domain, the resulting authorization is cached for your account to use again later. Cached authorizations last for 30 days from the time of validation. If the certificate you requested has all of the necessary authorizations cached then validation will not happen again until the relevant cached authorizations expire.


#4

This is your problem. You will need new TXT records for every renewal, so you need a way to automate this. If your DNS host doesn’t offer an API that’s supported by your client, you have three options that I can think of:

  • Change DNS hosts (Cloudflare, for example, offers DNS hosting at no cost, and has an API that’s pretty well-supported by some of the ACME client software)
  • Change ACME clients (if your DNS host has an API that isn’t supported by your client, but is supported by another client, this might be a better answer)
  • Implement something like acme-dns

#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.