Letsencrypt returns an unexpacted valid till date on domain validation


#1

I have a own ACME what was working for a half year. Now if the script tries to validate the domain every thing looks good, but the date returned by Letsencrypt is the same date it already had, (3 days left.) It looks like every thing is in order but the the date is not updated.

This is the resonse of the latest 2 calls combined in one:

Array
(
       [identifier] => Array
        (
            [type] => dns
            [value] => stucadoorhilversum.nl
        )
    [status] => valid
    [expires] => 2017-01-12T01:59:03Z
    [challenges] => Array
        (
            [0] => Array
                (
                    [type] => dns-01
                    [status] => pending
                    [uri] => https://acme-v01.api.letsencrypt.org/acme/challenge/vkK3qgkWNpDKoRYv0z95on49ZNKbQEfrx5h-vyu1iLg/339693023
                    [token] => khCjRaNgPQbBBYpw0bTXbwjJNBezC2IPZeQ5-fKwtlg
                )
            [1] => Array
                (
                    [type] => tls-sni-01
                    [status] => pending
                    [uri] => https://acme-v01.api.letsencrypt.org/acme/challenge/vkK3qgkWNpDKoRYv0z95on49ZNKbQEfrx5h-vyu1iLg/339693024
                    [token] => XfSD_grmf9sNmeJPNtioWFdIe_hvEDNnAFzV3O8CeBQ
                )
            [2] => Array
                (
                    [type] => http-01
                    [status] => valid
                    [uri] => https://acme-v01.api.letsencrypt.org/acme/challenge/vkK3qgkWNpDKoRYv0z95on49ZNKbQEfrx5h-vyu1iLg/339693025
                    [token] => cnq9WS2NAvcnkWV6CxRzejgWSG9tJwf8SwZRzYi0WNI
                    [keyAuthorization] => cnq9WS2NAvcnkWV6CxRzejgWSG9tJwf8SwZRzYi0WNI.J1n-FYM4rGvBpSMWbHOtGpSOWbGtt7c8OdQN_rYPbAM
                    [validationRecord] => Array
                        (
                            [0] => Array
                                (
                                    [url] => http://stucadoorhilversum.nl/.well-known/acme-challenge/cnq9WS2NAvcnkWV6CxRzejgWSG9tJwf8SwZRzYi0WNI
                                    [hostname] => stucadoorhilversum.nl
                                    [port] => 80
                                    [addressesResolved] => Array
                                        (
                                            [0] => 37.34.61.8
                                        )
                                    [addressUsed] => 37.34.61.8
                                )
                        )
                )
        )
    [combinations] => Array
        (
            [0] => Array
                (
                    [0] => 2
                )
            [1] => Array
                (
                    [0] => 1
                )
            [2] => Array
                (
                    [0] => 0
                )
        )
)

What could be the reason Letsencrypt returning the same old date? Has this any thing to do with rate limits?


#2

If your account key is associated with a valid authorization for your FQDN and that authorization is valid for at least another 24 hours, the CA server does not generate a new authorization (with a new expiration date), but rather reuses the existing one (in order not to have tons of unnecessary database rows with authorizations for the same FQDN).

This is independent from the certificate expiration date; that one’s still 90 days from the date of issuance either way, even if the authorization might have expired by then. It just has to be valid (and non-expired) at the time of issuance.

This was implemented back in June, see the full announcement here:


#3

So if i readed correctly i renew the domain if there is one day left?


#4

The expiration date of authorizations does not really play a role in your renewal schedule, other than the fact that you’ll have to ensure you actually have a valid authorization when you decide to renew (with “renew” actually meaning just issuing another certificate, it’s the same operation you used to obtain the certificate initially). The authorization object is basically nothing more than a document saying that you’ve passed the ownership challenge.

Your renewal schedule should probably be based on the notAfter field in the actual certificate. That’s what browsers look at when deciding if a certificate is still valid. I don’t think that date is available as part of any ACME API as a separate field; it’s just part of the X.509 certificate. certbot, for example, renews 30 days before the expiration date so that there’s plenty of time left in case something goes wrong during renewal and manual intervention is needed, or in case Let’s Encrypt is down for a while. That’s a good default, but not something that Let’s Encrypt enforces, so you may of course pick your own schedule if something else fits better.


#5

Yes i understand this, its the same princible with googles webmasters console.

This is what my bot is doing as well, but this is for the certificate renewal. Not the domain validation.


So my bot does this:

Every hour it checks if

  • The domain needs to be validated (domain date within a day)
  • The certificate expire date (is within 5 days).

if so;
The bot will renew the domains and certificates.

So what i need to do is only check on certificate date? within 30 days?


#6

Yep, that’s really all you need. You don’t really care about an expired (or close to expiring) authorization until the certificate needs to be renewed. The certificate will remain valid until its own expiration date independent of that.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.