Renew TLS-ALPN-01 without self-signed cert


When doing initial ordering of a certificate using challenge tls-alpn-01, I have to construct a self-signed certificate as explained here rfc8737.

So far so good. Eventually my program has to renew the certificate still using tls-alpn-01.

Do I need to re-run the process using a new self-signed certificate, or is acme/letsencrypt able to renew on the fly just by looking at the existing soon-to-expire certificate?

My testing shows the latter seems to work (if I reuse the same account and keypair), but I can't figure out if it's the right way to do it, or if I am required to redo the self-signed cert ceremony?


1 Like

you will need to show fresh self signed certificate with right extension to verify agent. what you are seeing is auth reuse, that allows same acme account doesn't need to verify again for new certificate for 30 days after first verification.




This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.