Multi-VA implementation e-mails

FYI, we’ll begin sending these e-mails tomorrow to Let’s Encrypt subscribers who might have problems with our new validation from multiple vantage points, according to our testing and log analysis.

It’s not feasible for us to include client IPs and sample FQDNs in this batch of e-mails, unfortunately. I’m hopeful that most subscribers with multi-VA incompatible setups are advanced enough to locate affected clients based on their registration ID.

Starting Feb. 19, 2020, Let’s Encrypt began making multiple domain validation requests from diverse network vantage points. More info here: ACME v1/v2: Validating challenges from multiple network vantage points

We are excited to be able to turn on this feature with little to no interference with your integration. We expect this feature to affect less than 1% of all domain validations from the Let’s Encrypt certificate authority. That’s better security, by default, for you and your customers.

Your ACME account ID [id] may have some errors and failed validations due to the multiple vantage point validation feature. We suggest you monitor your implementation when the feature is turned on and make any fixes necessary.

The best way to test compatibility for this feature is to perform test issuances in our staging environment where the new requirement is already enabled: https://letsencrypt.org/docs/staging-environment/

Exception:

If you need extra time to work on getting your integration ready for multiple vantage point validation, we will have an exception list available through June 1, 2020: https://forms.gle/9QN7dxALJVAoRjMKA

This exception list is temporary. After June 1, 2020, you will be using the multiple vantage point feature and may experience increased domain validation failure rates unless you take action to ensure compatibility.

Getting Help:

Our expert community, including Let’s Encrypt staff and many client developers, monitor our community forum and are available to help if you get stuck. https://community.letsencrypt.org/

The best way to keep up-to-date on this new feature (and all API-related Let’s Encrypt announcements) is to subscribe to our API announcements by clicking the bell in the top right corner of this page: https://community.letsencrypt.org/c/api-announcements/

Best,
The Let’s Encrypt Team

8 Likes

Have been using a tiny DNS client and assume you checked a record from 2 months ago? I renewed my cert OK (though early) to see if there’s a matter and it worked… Just don’t know what to look for.

I got “Action required: New feature and your Let’s Encrypt integration” mail today, my configuration ist still working with no errors. The checked record ist from Dec. 19 and 2 month ago.
What kind of record will be checked in your “multiple vantage point validation feature”, the acme-challange-record in the nameservers will always be removed by the implementation after successful renew of certificates.
Just don’t know how to react and what will happen otherwise ?

We got one of these emails that lists a failure on a single domain, dating back to November. We have on the order or 10,000 certificates on rotating renewal.

Regarding the email specifically—the dates/domains listed are not intended to be comprehensive, correct? For instance, if we had multiple failures since you turned this feature on, we’d only be seeing this email as a canary that at least one failure has happened?

Can you tell us what the format for a multi-perspective validation failure looks like in terms of API response structure/contents? What should we be looking for in our logs?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.