Not sure if SSL is renewed properly

My domain is: anfanna.com

I followed the STEP 3 onwards from the LightSail AWS to RENEW my SSL.
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

At the step of adding the values for ACME_CHALLENGE in DNS, it gave a failure. Then I had to restart from step 3 again, and remove all the old DNS entries. And this time around it just asked me to add 1 response to DNS challenge. Then it was successfully renewed. Followed the subsequent steps, and the certificate was validated.

MY CONCERN:

  1. Usually there are 2 _acme_challenge entries in the DNS, I have entered just 1. Does this have any effect on SSL?
  2. Are these challenge values used only for renewal purposes, can I remove those DNS entries now?

The operating system my web server runs on is (include version): AWS Lightsail

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

Let me answer things a little out of order, you’ll see why.

The challenge values are used during issuance and renewal by Let’s Encrypt as evidence that you really control the names you want certificates for - bad guys should not be able to create the DNS entries and so Let’s Encrypt won’t give them a certificate for your names. So yes, you can remove entries after success.

The most likely reason you only needed one new DNS entry is that Let’s Encrypt already had acceptable evidence for the other name you asked for from that previous attempt. Your certificate is for anfanna.com and for *.anfanna.com, which is two names by this way of counting, so that’s two pieces of evidence needed. For a while after being presented with evidence (hours, maybe a few days?) Let’s Encrypt does not need to be presented with suitable evidence of the same thing again by the same Let’s Encrypt account holder (in this case you) to get a certificate.

Yes, your certificate looks fine to me and you shouldn’t need to take any further action at least until next renewal in February if that’s not handled automatically by software you use.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.