How renew works with dns-01 challenge?


I’m using client in order to issue and renew certificates using a dns-01 challenge, with manual addition of the DNS TXT records.
This certificate is valid for 8 FQDN.

If I fail to correctly update one of the TXT records, and updated correctly the first ones, then I have to reissue the certificate, update all the TXT records and renew it, hoping for the best. That’s because after that all the renewals fail on the first domain with «Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}».

Is that an expected behaviour of the dns challenge? Are the TXT records used in the issuing moment valids for the renewall process, 1, 60 or 80 days after that moment?

About renewal and challenge

The challenge result is valid for a period of time, but the TXT records only matter during the process of accepting and then passing the challenge. Boulder (the ACME server running on Let’s Encrypt’s servers) remembers which challenges you recently passed, and will issue certificates for those names.

Passing a new challenge will require new (different) TXT records to be provisioned.

Do those two statements help you? If you need to know how long “recently” is I hope someone closer to Let’s Encrypt can answer for them.


Yes, they help, and that confirms what I had supposed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.