How long is the DNS-01 challenge valid?


#1

Hello,

I’m trying to automate cert renewal using the DNS challenge using the great acme.sh client ( https://github.com/Neilpang/acme.sh )

The pattern for doing this seems to be:

  • Run the “issue” command. Letsencrypt then responds with a challenge.
  • I add the verification strings to my dns
  • I run the “renew” command. Letsencrypt will then sign my certificate.

Ive tried this, and it works great. However, I do have some questions:

  1. Will I need a new challenge for each renewal of the certificate?
  2. If not, for how long is a domain verified? Eg, for how long can I keep renewing the certificate without having to re-verify?

#2

The “authz validity time” (i.e. the time in which you don’t need to re-verify your domain using your account key) is currently 60 days, however I believe the goal is to reduce that down to 7 days.


#3

Hi @johanmlg ,

Yes, you are right. You are using a dns manual mode, which is one of the modes that acme.sh supports.

The “authz validity time” is 60 days for now( limited by Let’s encrypt CA), and acme.sh will renew the cert in no more than 59 days for now. So, your cert will be successfully renewed automatically in 60 days.

But, Let’s encrypt is planing to reduce the authz validity time, it is very probably in future that the automatic renewal will fail.

So, it’s strongly recommended to use other modes instead of dns manual mode. Such as: webroot, standalone or Dns api mode.

The dns api mode may be the best for your case, check our dns api support list: https://github.com/Neilpang/acme.sh/tree/master/dnsapi

Yes, you are free to report issues or requests here: https://github.com/Neilpang/acme.sh/issues

Thanks.


#4

one thing that would be better would be just kicking your account key into DNS and finish it there instead of doing a challenge response on the DNS, at least in my opinion.


#5

How would that protect against MitM? What do you think the purpose of a challenge-response mechanism is?


#6

Simple. you have to prove you have the account key anyway (probably its own challenge response).
So using the sane account key for domain validation isn’t really a stretch imo.

so in short mitm protection is already given. you just instead of challnge responsing the domain too, you just bind the domain to any given account/s…


#7

Thank you!

Most of our servers are not accessible through the Internet, and due to security concerns we require 2-factor authentication to update any dns records.

Im stil researching how to automate this fully, but for now, it seems like cert generation still is a partially manual process. :slight_smile:


#8

well if your DNS has an api then it may help. if you have a custom DNS server software you could also just make an API which explicitly only allows doing acme challenge records.


#9

API usage by definition cant use 2 factor authentication.

I have also considered making my own API for it, but theres always the risk of introducing a bug that will allow the addition of other records as well.


#10

I know apis cant 2fa, but they can be limited in functionality, but it would be nicer if le would just allow account keys for DNS.


#11

I would never, ever allow dynamic updates into a main production zone. I would always create a subdomain for the specific purpose and point to it from the main zone.

Having _acme-challenge.$foo.$domain.com CNAME $foo.acme.$domain.com works just fine and you only need to allow updates for the acme.$domain.com zone.


#12

That is actually a brilliant idea! I didn’t even consider that as a solution, but it really does seem like the correct solution. Thank you!


#13

if you can completely splitt off the zone and that works, fine stuff.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.