I want to know a validity period for the DNS challenge

Is there any documents that describes the validity period of the DNS challenge?

I'm going to use acme DNS challenge to issue SSL certificate.
But in our organization, it takes few days to change DNS records.
So I want to know how long a TXT record value is available to challenge.

When I actually tried the DNS challenge, I received a response with "Strict-Transport-Security: max-age=604800" and "expires: DATETIME A WEEK AGO".
It means validity period is one week?

2 Likes

Welcome to the Let's Encrypt Community, fujiura :slightly_smiling_face:

Here's the official spec:

2 Likes

I think you are probably looking for the authorization expiry, which you can find in the expires field of the authorization (https://tools.ietf.org/html/rfc8555#section-7.1.4).

Since challenges are tied to a specific authorization, they inherit the same expiry.

It's worth remembering though that authorizations exist independently of orders and may be associated with multiple orders simultaneously.

4 Likes

Thanks for clarifying _az. I was just heading into my client to see the response for myself. I left it in debug mode so I can see the entire return chain from the LE server on the web page. I'm out of likes right now, but to you're due one for sure.

2 Likes

Thank you griffin and _az!
I've checked section 7.1.4 to 7.1.6 of RFC and found:

expires (optional, string): The timestamp after which the server will consider this authorization invalid, encoded in the format specified in [RFC3339]. This field is REQUIRED for objects with "valid" in the "status" field.

The order also moves to the "invalid" state if it expires or one of its authorizations enters a final state other than "valid" ("expired", "revoked", or "deactivated").

I consider that to check the expires property of Authorization Objects in the response.
And order will be failed after period which indicated with expires property.

3 Likes