Renewal does not generate challenge?

I have a few machines with certbot installed, using the dns-rfc2136 plugin for challenges. I’ve been following https://github.com/certbot/certbot/issues/6282 as I’d prefer to use DNS names for my primary server (instead of addresses), and noticed the update from the ‘stale’ bot. I decided to try using a DNS name again with certbot 0.35.1, so I changed my configuration and forced a renewal.

The certificate was renewed without any challenge happening at all; the debug log doesn’t show any evidence of a challenge, but the expiration timestamp of the certificate was definitely changed. I assumed this was some sort of bug related to using a name instead of an address for the primary server, so I changed it back and forced a renewal again; same result, no challenge was requested or performed, but the certificate was renewed.

Is there some policy which allows certificate renewal without a challenge? If not, something really strange is going on.

Hi @kpfleming

a challenge result is 30 days cached.

The account owner can create new certificates without a new confirmation.

Ahh, that explains it. I guess I’ll have to request a new cert with a domain name I don’t actually use in order to test the plugin. Thanks for the quick response.

Another option might be to use brand new accounts for each test in the staging environment.

Indeed, although as it turns out the feature I was going to test isn’t actually ready to be tested, so there’s nothing to do right now unless I pick up the PR myself and try to get it completed…