Does the renewal of certificate follow the same process as issuing a new certificate?


#1

I used standalone web server with http-01 challenge mechanism while getting a certificate. Also pointed the domain to the public machine running the LE client. I was able to fetch the certificate.

Later, just to better understand the renewal process, I deleted the DNS A record which pointed the domain to the public machine.

In spite of deleting the A record, I was still able to renew the certificate. Does this mean that during renewal the domain is not resolved by the LE CA? How does LE CA verify domain ownership during certificate renewal? Even during renewal I had to use the standalone plugin which means the LE CA did do the file download, but how did it resolve domain name?

I used following command to renew certificate:

sudo certbot certonly -n --force-renewal --standalone -d ip-172-30-3-207.ssldemo.xyz --standalone-supported-challenges http-01


#2

It does follow the same process, however, if you have already validated a specific domain it remembers that for a period of time (I can’t remember how long, it’ several months though ), so for you, using your private account key, if a specific domain is already validated for you, it wouldn’t need to test and verify the tokens.


#3

To expand on @serverco’s (thanks!!) answer I wanted to provide a little bit more detail.

As mentioned, when your account proves ownership of a domain (we call this an authorization) by completing a challenge (http-01, tls-sni-01, or dns-01) the authorization is saved for a fixed period before it expires (currently 90 days but you should probably expect it to be shrinking in the future). Since you completed an authorization for your test domain using a http-01 challenge we won’t perform a dns-01 challenge for the same account/domain (see this announcement thread for more information).

In the near future you may be able to explicitly deactivate a valid authorization you previously added to your account. Right now support for this “authz deactivation” feature [exists in Boulder]((https://github.com/letsencrypt/boulder/commit/51ee04e6a97c45571d73d756a2b894c642ac8187) for the server-side but it’s brand new and I don’t believe any clients have implemented it.

The easiest way to do a dns-01 challenge for this domain right away might be to make a separate Certbot install/account and use it. Authorizations are tied to the account key.

Hope that helps clear things up!


#4

Thanks for the response.

May be I did not explain what I did correctly. During initial request of a certificate and while renewing it I always used http-01.

Before renewing the certificate though I deleted the DNS A record for the domain I requested the certificate for which means LE CA could not possibly have been able to resolve the domain name if it needed to perform domain ownership check.

However I was able to renew the certificate. So I am confused what kind of checks are done during renewal of certificate when http-01 challenge mechanism is used during renewing.


#5

By passing any kind of ownership challenge for a domain, an authorization object for that domain is associated with your account key. This authorization is valid for 90 days and allows you to request additional certificates for that domain (typically a renewal) with your account key without passing another domain ownership challenge. Once this object expires, you’ll need to pass another ownership challenge (at which point the absence of the A record would cause the challenge to fail).

CAs are generally permitted to issue certificates for up to 39 months (IIRC) after domain ownership is validated by the subscriber.


#6

Thanks, that clears up my confusion.

So is the authorization being valid for 90 days going to change? Will it be reduced? I guess it is tied to the expiry duration of the certificate.


#7

There are plans to reduce authorization lifespans, yes. This announcement has some details:


#9

Ok thank you very much.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.