Renewal does not generate challenge?

I have a few machines with certbot installed, using the dns-rfc2136 plugin for challenges. I’ve been following https://github.com/certbot/certbot/issues/6282 as I’d prefer to use DNS names for my primary server (instead of addresses), and noticed the update from the ‘stale’ bot. I decided to try using a DNS name again with certbot 0.35.1, so I changed my configuration and forced a renewal.

The certificate was renewed without any challenge happening at all; the debug log doesn’t show any evidence of a challenge, but the expiration timestamp of the certificate was definitely changed. I assumed this was some sort of bug related to using a name instead of an address for the primary server, so I changed it back and forced a renewal again; same result, no challenge was requested or performed, but the certificate was renewed.

Is there some policy which allows certificate renewal without a challenge? If not, something really strange is going on.

Hi @kpfleming

a challenge result is 30 days cached.

The account owner can create new certificates without a new confirmation.

1 Like

Ahh, that explains it. I guess I’ll have to request a new cert with a domain name I don’t actually use in order to test the plugin. Thanks for the quick response.

2 Likes

Another option might be to use brand new accounts for each test in the staging environment.

2 Likes

Indeed, although as it turns out the feature I was going to test isn’t actually ready to be tested, so there’s nothing to do right now unless I pick up the PR myself and try to get it completed…