Domain not pointing to the server but cerbot still generated a cert

tommyasaservice · September 24, 2019, 9:58pm

My domain is: prodtest.tommyngo.co.nz

I ran this command: letsencrypt --no-self-upgrade certonly --agree-tos -m [email address] --webroot -w /data/certs/validate -n --cert-name test4.tommyngo.co.nz --max-log-backups 0 -d test4.tommyngo.co.nz -d prodtest.tommyngo.co.nz

It produced this output:
{
“identifier”: {
“type”: “dns”,
“value”: “prodtest.tommyngo.co.nz”
},
“status”: “valid”,
“expires”: “2019-10-31T21:06:42Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/487632171/bAPR_A”,
“token”: “Lr4p58DwOt1XMaorrdVnb2XSG41Zm7Fiiv4qJdwrhKc”,
“validationRecord”: [
{
“url”: “http://prodtest.tommyngo.co.nz/.well-known/acme-challenge/Lr4p58DwOt1XMaorrdVnb2XSG41Zm7Fiiv4qJdwrhKc”,
“hostname”: “prodtest.tommyngo.co.nz”,
“port”: “80”,
“addressesResolved”: [
“120.138.18.45”
],
“addressUsed”: “120.138.18.45”
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/487632171/PplWoA”,
“token”: “Lr4p58DwOt1XMaorrdVnb2XSG41Zm7Fiiv4qJdwrhKc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/487632171/Xg1n-A”,
“token”: “Lr4p58DwOt1XMaorrdVnb2XSG41Zm7Fiiv4qJdwrhKc”
}
]
}

However, the domain is actually not pointing to the server at all

dig prodtest.tommyngo.co.nz
prodtest.tommyngo.co.nz. 60 IN A 120.138.22.143

It has been over 24 hours and certbot still provides certificates. I am testing the case where the certificate fails to generate.

My web server is (include version): nginx

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.1

I am not sure why it is the case, any help would be appreciated.

_az · September 24, 2019, 10:03pm

The explanation for this is something called "authorization re-use".

Basically, when your Let's Encrypt account successfully validates a domain, that valid authorization will be re-used for upto 30 days (subject to change), at which point it will expire, and you'll need to perform the authorization again.

Ideally, there would be a way in Certbot to do a "fresh" authorization every time. I was working on adding that to Certbot but haven't found a tonne of time/motivation lately. It'll come eventually.

If you try issue the certificate from another Let's Encrypt account, you'll find that it fails, as you would expect, because that new account doesn't have access to the previous valid authorization.

tommyasaservice · September 24, 2019, 10:20pm

Is there a way that I can perform the authorization again?

_az · September 24, 2019, 10:23pm

With Certbot, it’s not really straightforward to do so.

Potential ways to do it:

Use --dry-run (this uses a different ACME server/account. But this will only work once, and only if you haven’t already done a successful dry-run).
Temporarily move your /etc/letsencrypt/accounts/* directories to another directory, to force Certbot to register a new account without a valid authorization.

system · October 24, 2019, 10:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.