Number of challenges for wildcard certificate

My domain is:

navdispatch.com / fleetportal.de

I ran this command to renew my certificate:

certbot certonly -d ‘navdispatch.com,.navdispatch.com,fleetportal.de,.fleetportal.de’ --preferred-challenges dns --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for fleetportal.de
dns-01 challenge for navdispatch.com
dns-01 challenge for navdispatch.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.fleetportal.de with the following value:

P2ewknHZmHNEsXELKovv6D8U5GFsqRjo2s1tvx22MWQ

Before continuing, verify the record is deployed.


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.navdispatch.com with the following value:

rKBcsbyQdEAFinsIcg34s9iMT2JMiuuXbv-tO8U3N6w

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.navdispatch.com with the following value:

NVfI3aytDHVUQ4vmtjRT-RdsqIoUt254Z0eyON23M6w

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/navdispatch.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/navdispatch.com/privkey.pem
    Your cert will expire on 2020-08-31. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):

apache2 2.4.29-1ubuntu4.13

The operating system my web server runs on is (include version):

Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

I’d like to understand why the number of challenges to renew this certificate is 3.
Last time I renewed it there were 4 challenges. I’d understand if the process became simpler and it only required 2, but 3 is an odd number of challenges for 2 domains with wildcard.

1 Like

Hi @MoonE

checking your domain via https://check-your-website.server-daten.de/?q=fleetportal.de#ct-logs you see:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-06-02 2020-08-31 *.fleetportal.de, *.navdispatch.com, fleetportal.de, navdispatch.com - 4 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-06-01 2020-08-30 admin.navdispatch.com, fleetportal.de, http01p.navdispatch.com, www.fleetportal.de - 4 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-04-02 2020-07-01 admin.navdispatch.com, fleetportal.de, http01p.navdispatch.com, www.fleetportal.de - 4 entries

You have created a certificate with fleetportal.de 2020-06-01.

Such validations are 30 days cached.

So Certbot offers only three TXT entries.

In two months -> 4 TXT entries are required again.

3 Likes

You should be able to confirm that by examining /var/log/letsencrypt/letsencrypt.log. (Warning: It’s really long.)

It should show that Let’s Encrypt returned 3 authzs with a status of pending, and 1 that already had a status of valid and an expiration date that’s probably about 28 days in the future.

4 Likes

Thank you both.
I did not know how long the validation is cached.
Checking the log and there is indeed one already valid.