Is the domain challenges run again after issuing certificate

Let’s me describe my situation:

  • I have an internal site for my team; which using Azure Cloud which using Azure sub domain (*.cloudapp.azure.com). So I think that I can not use DNS-01 challenge.
    It is running Ubuntu 16.04 with nginx.

  • It doesn’t open any ports to the internet. But I can open it for a while to finish the domain challenge with tls-sni-01 (for nginx using).

-> I found out that I can force renew the certificate success without opening the 443 port (force renew for testing purpose the following day after issuing the certificate). But I think it’s success because of the domain authorization is cached as describe in FAQ.

So my question is: Is it necessary to open 443 port when running this renew command
certbot renew. I think it won’t work because it needs to challenge the domain again; please confirm it because I could not find any mentioned documents.

The FAQ seems pretty clear - the authorization will no longer be cached after 30 days (or even earlier, if the authorization is deemed to no longer apply to the request).

Future renewals will require fresh authorizations and completions of the tls-sni-01 challenge.

3 Likes

Thank you for your confirmation, I was doubtful and can not find any ways for verify it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.