Failed validation limit, validation IP addresses, and authorization lifetime

Hi all,

I have three announcements about the Let’s Encrypt API today:

  • We’ve enabled a new Failed Validation limit of 5 failures per account, per hostname, per hour. This limit will be higher on staging so you can use staging to debug connectivity problems.

  • In the next few weeks, we will be using some new IP addresses for validation. If you have firewall rules that whitelist specific IP addresses for validation, please be aware that our integration guide warns against that practice, and in the future we will introduce new validation IP addresses more frequently. If you’re unable to open up port 80 or 443 to all IP addresses, you may want to use the DNS challenge instead of the HTTP or TLS-SNI challenges.

  • Currently, a validated authorization remains usable for 60 days. We plan to shorten that to 30 days in the coming month. Note that in practice most users won’t notice a difference, since reissuance at the 60 day mark already requires revalidation. (Edit: as of 27/04/17 this change is enabled)