Http-01 validation cache?

I was surprised to receive a mail from Certbot (cronjob) that my certificates have successfully been renewed because most of my domains currently have no A or AAAA-Record and nginx (which usually serves the challenge files) has been down for months (since 22/Aug/2016 according to my server logs) and HTTP(S) ports are blocked since then.

Upon investigation I noticed that Let’s Encrypt issues certificates for one of my old domains that has been deleted on 3rd Oct 2016 and is still unregistered. This domain hasn’t had any A/AAAA records for a long time as far as I remember.

Is this intentional behavior?

If you have validated a domain, then your validation is remembered for a period of time ( currently 60 days) for your account key. So yes, it’s expected behaviour. You can can change the default if required.

60 days? Doesn’t look like that. I just tested and could successfully request a certificate for a domain I deleted on 02/Jul/2016. I also checked my nginx logs which sadly only date back to July and there isn’t a single hit on a acme-challenge URL. (I’m using cerbot with certonly-Flag)

What’s the domain name ?

Well I just tried (deleted Oct) which is deleted and (deleted Jul) which appears to be re-registered by someone else. (I revoked both certificates of course)

Thanks, hopefully @cpu or someone can give a definitive answer on this.

My suspicion is that it’s due to the steadily decreasing time that “authz validity time” has. It’s currently 60 days, but it was 90 days (until about 1 month ago from memory) and before that it was closer to a year I think. I’m not sure when the dates / times changed at which it was reduced though - hence someone from Let’s Encrypt can check and give you a definitive answer.

Okay, thanks.
I’m not familiar with Let’s Encrypt but I’d find it rather odd to keep domain names validated for a longer period of time than the certificates themselves are valid. What’s the purpose of renewing when nothing is actually checked?

Your account key is checked.

The aim is that the period will be 7 days I believe. Currently it’s 60 days, which is less time than a cert is valid for.

You can always remove the authz if you want to.

I just read this thread and I understand how that stuff works now.
It just doesn’t sound right that I can still have certificates issued for domains which I don’t own anymore. 7 days seems fine and the reason I can’t find any HTTP hit on acme-challenge pages is probably that I still have old validations that are valid for more than 60 or 90 days unless old ones generally aren’t valid anymore.

It feels fundamentally wrong that validations live beyond cert issuance for exactly the reason we see here. Someone gives up his domain and can still issue certs for it? Who thought this is a good idea?

The CA/B Forum, apparently, who deemed 39 months to be a good upper limit for domain authorizations. This section has been getting some attention lately, so hopefully it’ll be changed to something more reasonable (like maybe a month; that should be long enough even for the most bureaucratic issuance processes out there).

I guess no one really thought about this practice (which is common among traditional CAs as well) prior to ACME. The most problematic bit to me is that, unlike certificate issuance, which is now a publicly observable event in the case of many CAs, and will be for everyone in about a year, domain authorizations aren’t public, so there’s really no way for a domain owner who bought a domain to know what’s out there. I suppose in the grand scheme of things this is just one of many things you need to worry about when you buy domains, but still.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.