Sorry this is relatively elementary but I haven’t been able to find an answer: if I control my domain, do I need to keep my challenge up all the time, or at least periodically when I request new certs?
I haven’t seen a technical reason anywhere why I couldn’t do my domain validation one-time, collect the key/cert, and then use it to issue certificates from anywhere without having to have Let’s Encrypt reach out to me. Does the trust that Let’s Encrypt has with my authorized key pair expire?
I had reviewed those documents, and while they describe how to go about responding to the challenge, they don’t seem to cover the topic of whether this is a one-time-only setup or whether it needs to be reviewed.
I understand that the certificates I issue will expire in 90 days, my question is about my authorized key pair. If I understand correctly that is not a certificate is not signed by Let’s Encrypt, and is instead just used to sign the nonce. Unless I’m wrong and my authorized key pair is actually a self-signed cert that I must put in an expiration of 90 days into myself?
Each domain authorization associated with your ACME account will be valid for 30 days after it is created (See the very last FAQ question here). You won't have to re-create the challenge response setup within those 30 days to issue another certificate that includes the same domain. If you deactivate the authorization, switch ACME accounts, or wait 30+ days then you'll need to solve another domain validation challenge for the domain in order to be authorized to issue certificates for it.
As a note: each time you need to perform the challenges the response will be different. That is, the HTTP-01 or DNS-01 challenge response you configured today won't be the same value as you'll use in 31 days from now when the original authorization has expired.
You can think of your ACME account keypair as your username/password in a more traditional service. You use it to authenticate requests to the CA when issuing a certificate. You can also use the ACME account keypair to revoke certificates you previously issued. It isn't a certificate, just a public key and an associated private key.
Ah yes! The 30 days cached domain validation was exactly what I was looking for. So if I do decide to go the route of keeping the authorized key pair off line, I need a mechanism to wake up and do the challenge at least more frequently than that, then redistribute the key pair.
FWIW, if you’re developing your own ACME client, 30 days of caching is what Let’s Encrypt currently does, but other CAs might do things differently, and Let’s Encrypt could change it in the future. An ACME client should be prepared to do new validation(s) any time it’s issuing a certificate.
If you’re specifically working on a Let’s Encrypt integration, you probably don’t have to be that flexible, but you should still know it’s not guaranteed to work exactly this way forever.