Let’s Encrypt has made a minor change to how we validate domain control from multiple perspectives. This should have no effect on most users, but may appear differently in logs, so we are making a post to help diagnose failures to validate domain control.
Let’s Encrypt will now do secondary validation only once the primary validation has successfully completed. If primary validation fails, or CAA records prohibit issuance, we will not attempt secondary validation. In a successful validation, all the same requests will happen, but slightly more spread out in time.
If you’re interested in more technical detail, you can check out the code change in Boulder, our CA software. If you have any questions, please open a topic on this forum to ask them.