Failed validation limit, validation IP addresses, and authorization lifetime


Hi all,

I have three announcements about the Let’s Encrypt API today:

  • We’ve enabled a new Failed Validation limit of 5 failures per account, per hostname, per hour. This limit will be higher on staging so you can use staging to debug connectivity problems.

  • In the next few weeks, we will be using some new IP addresses for validation. If you have firewall rules that whitelist specific IP addresses for validation, please be aware that our integration guide warns against that practice, and in the future we will introduce new validation IP addresses more frequently. If you’re unable to open up port 80 or 443 to all IP addresses, you may want to use the DNS challenge instead of the HTTP or TLS-SNI challenges.

  • Currently, a validated authorization remains usable for 60 days. We plan to shorten that to 30 days in the coming month. Note that in practice most users won’t notice a difference, since reissuance at the 60 day mark already requires revalidation. (Edit: as of 27/04/17 this change is enabled)


Expiry of valid authorizations reduced from 60 days to 30 days
Understanding certbot renew
Switch from StartSSL to LetsEncrypt, looking for easiest route
Error creating new certificate