Problem finding dns-persist-01 in staging

sebastiannielsen · April 4, 2026, 5:14pm

That would require explicit support. Once the pull request is approved, it will only be able to use the "main" accounturi, unless the Net::ACME2::Challenge object exposes "unknown" variables from the JSON structure.

felixf · April 4, 2026, 6:32pm

Pebble hasn't been updated yet, but I created a PR a few days ago to return accounturi when I noticed it was missing: Add accounturi to dns-persist-01 challenges by felixfontein · Pull Request #544 · letsencrypt/pebble · GitHub

MikeMcQ · April 4, 2026, 9:29pm

Agree on having a choice. Don't agree the Challenge URI is best default.

When different, any "blind" choice is going to be wrong for some people. And, perhaps even for important reasons. For example, the draft RFC in 7.2 says:

Domain owners and auditors who require independent verifiability SHOULD use the ACME account URL directly, since third parties cannot independently determine which account is bound to an alternative URI.

What to do when they differ seems use-case and CA dependent.

It will be interesting to see how LE plans to set and allow control of the Challenge accounturi. I'm assuming, at least for the start, that it will just be equal to the main accounturi to avoid the mapping that can otherwise be done with different ACME Accounts. But, that is purely a guess.

sebastiannielsen · April 6, 2026, 3:24am

I have a suggestion to enable this, but to prevent breakage, allow people to out out of it with "nojit"

For example:
profile => "shortlived,nojit"
or
profile => "tlsserver,nojit"
or
profile => "nojit"

This would allow incompatible clients (for example, the ACME client in synology boxes) to support dns-persist-01 validation without any change at all, it would just try to validate for example HTTP-01, fail that validation, but since theres a valid DNS-PERSIST-01 validation in the back, it would "silently accept" that and allow the client to work.

rmbolger · April 7, 2026, 2:59am

It sounds like LE won't be implementing JIT validation. So clients won't be able to use it unless they explicitly support dns-persist-01.

I'm curious who will implement it (if anyone) though.

orangepizza · April 8, 2026, 12:46am

Dose pebble with alwaysvalid=1 act differently from successful jit validation?

edit: id'd different becaues it still need to post at challenge to start validation task:

Topic		Replies	Views
Dns-persist-01 challenge Client dev	20	524	April 2, 2026
Missing accounturi field in LE dns-persist-01 challenges Issuance Tech	2	115	April 9, 2026
Dns-01 challenge has been circulating for a long time, but I still haven't been able to achieve it Client dev	25	2826	July 20, 2019
DNS01: How is the challenge supposed to be formatted? Client dev	13	2871	April 24, 2019
DNS challenge is in staging Feature Requests	49	28027	February 10, 2016

Problem finding dns-persist-01 in staging

Related topics