Question about RENEW certificate

Client dev
1

When I use certbot, I found that if I get the certificate by DNS-01 validation way,

it is not necessary to finish the challenge when renew the certificate.

I read the RFC-8555 and not found the API of RENEW certificate.

How certbot realized this?

For example:

I create new order:

$ certbot certonly  -d baiyusmile.space --manual --preferred-challenge dns
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  from cryptography import x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for baiyusmile.space

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.baiyusmile.space with the following value:

mtXooy_49lPP9Ejnf7eyg9EnmfeiffXogUSl_zS7XHY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Here I need to append value "mtXooy_49lPP9Ejnf7eyg9EnmfeiffXogUSl_zS7XHY" to

_acme-challenge.baiyusmile.space's TXT records.

Then:

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/baiyusmile.space/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/baiyusmile.space/privkey.pem
   Your cert will expire on 2021-03-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I get certificate successfully.

When I renew it forcibly


$ certbot renew --cert-path /etc/letsencrypt/live/baiyusmile.space/cert.pem 
--force-renewal --manual-auth-hook ~/print-func.sh 
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  from cryptography import x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/baiyusmile.space.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for baiyusmile.space
Output from print-func.sh:
88888888888888
_17KqsmTdFz-nhu98HMq9PfMSFuL2M2uvVHtuHQaAS0
88888888888888

Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/baiyusmile.space/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/baiyusmile.space/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Actually the the print-func.sh just print the value ,

BUT I still can get the renewed certificate.

WHY ????

RFC-8555 does not describe the detail about renew.

How certbot did it without applicant‘s operation of _acme-challenge.baiyusmile.space DNS TXT value ?

1 Like
2

屏幕快照 2020-12-22 16.18.03
屏幕快照 2020-12-22 16.18.03914×544 64.9 KB

If it is really that renewal processing is same to create a new order, why the certbot can get the renewal certificate without DNS-01 validation ?

Is it a BUG?

1 Like
3

No, it's because the valid authorizations are cached for 30 days. Your ACME client will experience this too if you don't deactivate the authorizations.

2 Likes
4

You've noticed a behavior of Let's Encrypt's ACME service, which is not explicitly documented in RFC8555.

Let's Encrypt will sometimes not ask you to complete an authorization, if you have recently already completed an authorization for the same domain. It looks at the history of your ACME account to determine this.

As a result, it is possible to create an order where all of the authorizations are already valid and you can immediately proceed to finalization.

That's why Certbot has the appearance of skipping the validation process.

In more recent versions of Certbot (>= 0.40.0), --dry-run will ensure that it obtains fresh authorizations for every domain, so the full validation process will be required every time.

As for the definition of "recently", you shouldn't rely on the time interval to be 30 days or 7 days or anything else. The ACME server could ask you to complete a new authorization for any, or even every order.

4 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.