I have a few machines with certbot installed, using the dns-rfc2136 plugin for challenges. I’ve been following https://github.com/certbot/certbot/issues/6282 as I’d prefer to use DNS names for my primary server (instead of addresses), and noticed the update from the ‘stale’ bot. I decided to try using a DNS name again with certbot 0.35.1, so I changed my configuration and forced a renewal.
The certificate was renewed without any challenge happening at all; the debug log doesn’t show any evidence of a challenge, but the expiration timestamp of the certificate was definitely changed. I assumed this was some sort of bug related to using a name instead of an address for the primary server, so I changed it back and forced a renewal again; same result, no challenge was requested or performed, but the certificate was renewed.
Is there some policy which allows certificate renewal without a challenge? If not, something really strange is going on.