Domain verification question(s)


#1

Could not find this anywhere, so hopefully someone could just tell me - how often do you need to verify the domain ownership?

Say you verified it once, do you need to do it again if you decide to re-issue it 10 days later, 60 days later, a year later? Or it gets verified “forever” until someone successfully verifies it using different account key?

Additionally, for how long the challenge lasts? If I use http verification for example, create the required files, then what is the maximum time that might pass before call to Let’s Encrypt to check those files is still valid?

Tnx.


#2

Whenever you issue a cert for that domain.
Edit: obviously incorrect, see below.


#3

It does not seem to be working this way, not in staging at least - you can issue a certificate and at least some time after you can do it again without verification. That is why I wonder if there is a rule or time period when you don’t have to repeat the verification part of the process.


#4

According to the source code, the authorization lifetime is currently 10 months

// DefaultAuthorizationLifetime is the 10 month default authorization lifetime.
// When used with a 90-day cert lifetime, this allows creation of certs that will
// cover a whole year, plus a grace period of a month.
// TODO(jsha): Read from a config file.
const DefaultAuthorizationLifetime = 300 * 24 * time.Hour

It means that you don’t need to re-authorize a domain if you reissue a certificate within the validity of the authorization.

It’s important to keep in mind that the authorization is attached to a specific name. Therefore, if you issue a certificate today for www.example.com and example.com, and you issue another certificate in one week for example.com and api.example.com, you will still need to go through the authorization flow for api.example.com.


#5

Great, that what I was looking for! Thank you for the link too, since it has an answer to my second question as well.


#6

It’s worth noting that the official client doesn’t reuse existing authorization objects even if they’re still valid; it will create a new one and attempt to solve it every time you’re requesting a certificate.

If you’re doing some kind of custom integration instead, this might be relevant.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.