We are a hosting company managing thousands of certificates.
Over the last year we tried to renew around 1000 certificates and 800 of them failed with error 403. Most of the certificates were 2 months old when we tried to renew them. We worked around this by simply creating new certificates instead of renewing. Renewal of newly created certificates always succeeded.
Now we upgraded from acme-v01 to acme-v02 and all acme-v01 certificate renewals fail. Instead of creating new certs, this time we would like to figure out what the cause of the issue is.
- can acme-v01 certificates be renewed with acme-v02?
- why do so many renewals fail? Are the 2 months old certificates too old for renewals?
- We try to create a certificate with urls: *.domain.be and domain.be using dns-01 validation. TXT records are properly created but validation fails for the second url. Can we use dns-01 validation when TXT records are created on the same domain?
Let me know if you need any further information.