Do i have to change my txt recordds every 30 days


#1

Hello and thanks for letsencrypt.

If I verify a domain and issue the certificate, i believe i must renew these once every 7 days.
Does it also mean that I have to change the txt values for domain verification once every 7 days. Please tell me the answer is “no” :slight_smile:


#2

Nope, you can currently obtain a new certificate without reverifying for a period of 7 days from the time of the original verification.

You must obtain a new certificate at least every 90 days (the overall validity period of a Let’s Encrypt certificate).

You’ll need new TXT records when you reverify at least every 90 days.


#3

If I don’t own certain domains directly (saas provider) how can we expect our customers to change their txt records every 90 days? Is there any way out of this?


#4

How are they delegating to your servers? Are they pointing A records at your servers for subdomains of customer domains?


#5

On their dns settings: they setup a cname to point to mydomain.com

On my dns settings: i have mydomain.com -> nginx IP

Hence, https://cname.theirdomain.com traffic hits my nginx which is where these certs are installed.

So every 90 days I need to send an email to the owner of theirdomain.com asking them to update their txt records?


#6

Well, how about using the HTTP-01 authentication method rather than DNS-01? Do you specifically need wildcard certificates for your application?

With HTTP-01, a CNAME to an A record for an IP address is already enough control to obtain a certificate, without having to post any DNS records—you just have to be able to serve a specified file over HTTP on port 80 of the IP address.


#7

Got it. That is a great answer. I can do that.
However, I’m interested if we needed to support wildcards on third party domains too. Please do let me know.


#8

Let’s Encrypt wildcards do require updating TXT records, so that’s going to be a little more complex.

There is a way that you can still do it without requiring ongoing efforts from the customers for each renewal. It’s a one-time step for the customer to delegate this authority to you. But it will slightly complicate the customer’s initial setup process. Nonetheless, you can easily check whether the process has been completed correctly and provide support for customers as they set this up.

The way to do this is to have the customers set an additional CNAME for _acme-challenge.example.com to point to some other record (which doesn’t specifically have to be called _acme-challenge) inside a DNS zone that you control. The validation process will also follow that CNAME, and this should also be allowed for wildcard issuance. So you can update the target TXT record in your own DNS zone, instead of updating any records in the customer’s DNS zone.

Using subdomain.theirdomain.com and mydomain.com examples, you could use

subdomain.theirdomain.com. IN CNAME mydomain.com.

_acme-challenge.subdomain.theirdomain.com. IN CNAME _acme-challenge.theirdomain.mydomain.com.

Now, posting TXT records at _acme-challenge.theirdomain.mydomain.com in response to an ACME DNS-01 challenge from Let’s Encrypt will allow you to obtain certificates for the base name subdomain.theirdomain.com as well as for the wildcard *.subdomain.theirdomain.com, as long as

  • the second CNAME continues to exist, and
  • there are no other problems with the customer’s DNS or your DNS (such as invalid handling of mixed-case queries, or invalid DNSSEC records, or refusing to answer queries for CAA records, or whatever).

#9

Thanks for the detailed response. I will notify this thread if it works after I i try this out.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.