Renewal process


#1

I just receive an invite today. Already test to generate the cert using webroot. My question would be for renewal. Does I need to re-authenticate the domain again?

My problem is, I will used the domain for wifi captive portal login page. This will be a private lan. Initially I would be able to change DNS to public IP for domain authentication. Do I need to do this for every renewal?


#2

i believe it has to re-validated again on renewal @bmw @kelunik @jsha ?


#3

You will need to re-authorize the domain periodically based on the expiry time of the authorization object. Currently the authorization lasts ten months. So you will be able to do your next few renewals on one authorization, but in ten months you will have to re-do the authorization process.


#4

thanks @jsha for the clarification

is there any reason it’s set to a specific number as 10 months ? and not 12 months etc ?

if i ran webroot authentication via cronjob every 2 months, would that still re-authorize each time so that 10 months gets extended every 2 months ?


#5

Actually, I misspoke: The idea behind authorizations lasting for ten months (currently) is that they provide a full year of coverage, assuming you renew your cert every 60 days. So you wouldn’t need to reauthorize for a full year, assuming you issue a cert right before the authorization expires.

I believe webroot re-does the authorization each time, so you shouldn’t run into expiring authorizations.


#6

thanks @jsha for the information :slight_smile:


#7

Meaning to say, for current setting (10 months) I need to re-set the DNS to public IP roughly once a year for domain re-validation? For renewal, as long as authorization object still valid I just need the internet connection?

Another one, if I got authorization to abc.com, can I generate sub domain certificate such as wifi.abc.com using main domain authorization only? I believe this is how current ca operate. The validation is based on main domain right?


#8

That’s correct.

No, you need to validate each subdomain separately.


#9

@aneip there will be another option. You can use the same domain for Outside and Inside.
Inside for example you point to 192.168.0.1 and outside to an official IP that host Maybe some other side of you.
And than can be used for domain validation.


#10

@jsha I think that reauthorization time should be no matter whether it’s 10 or 12 months or whatever NO LESS than the expiry of the domain, also it could be helpful to re-do the authorisation if the whois record changes. (for example using a hash of the whois record data about the owner)

because anyone could get a domain that is already authenticated using LE and then get certs and impersonate that domain for example if I see a domain I still could get certs until the 10 months expired.


#11

[quote=“My1, post:10, topic:3971”]
also it could be helpful to re-do the authorisation if the whois record changes. (for example using a hash of the whois record data about the owner)
[/quote] could be problematic for folks like me using private domain whois and where the registrar auto rotates the publicly listed email address username hash frequently or changes the private registrar’s address details slightly

although i use webroot authentication, i think other folks with private whois services would have issues with non-webroot methods + internal lan private ips


#12

when the private whois actually rotates the data, well…

also how it is a problem if the authorization is done automatically anyway?

but there needs to be a way against. I auth a domain via LE, sell it and then MITM the whole stuff because I already have authrisation and the only way of checking an owner change is the whois, by the way is a private whois even allowed I mean a whois has a purpose (and I recently found a domain where the contact address threw an error when I tried mailing it)

I think the whois stuff has a purpose and I am not sure what to say about private whois, well spam protection is great but there must be a way to contact the owner and/or see a change of the owner, or else you could obtain a three year cert at a traditional CA sell the domain and MITM it for THREE WHOLE YEARS


#13

yeah true about auto authorization

but private whois listed email should forward to real whois contact’s email so doesn’t matter


#14

so it’s just a redirection, well that makes it better.


#15

@eva2000 independent about my personal thinking of private whois records, i would say that it is not relevant if the domain owner change because LE verify that the person who had technical control about the server hosting the domain is requesting the certificate. Not the person that is mentioned in the whois record (for example via mail).
@My1 I have the same thinking about private Whois records i like to have contact persons if there is trouble. More often i only have IP only and but for domain records i think the same should be the case.

But whois is currently not in place with LE authentication strategies.


#16

Indeed… my statement was in relation to folks trying to validate private lan IP based domains the re-authorisation part would be more inconvenient if you also had to check a hash of their domain whois details[quote=“eva2000, post:11, topic:3971”]
although i use webroot authentication, i think other folks with private whois services would have issues with non-webroot methods + internal lan private ips
[/quote]


#17

@tlussnig I think the whois should nit be used as authorisation but rather about whether to authorise again or not, because it was said that the authorisation stays 10 months so you can get certs for a whole year. and if the owner changes how high do you think is the probability of the one who coltrols the server accociated with the domain stays the same? I think it’s less than 1%


#18

Hm WHOIS record change, owner change and ande of person/company handle the domain are different parts.

  1. Whois may contain as Admin-C the CEO that may change.
  2. The person/company move to another location.
  3. Change in legal prefixes gmbh/ag/co kg/ltd etc…
  4. Soled to another firm but managed by the same staff while only top management will be replaced.
    And many other cases…

#19

well I didnt even say the whole whois record but rather some more important parts of those, for example the mail address or something else.

well the change of the legalform or the location change maybe even if the firm might be the same it technically is a different entity.
also when another firm is involved it is a whole different entity who has the certs, so a reauthentication would be no problem.

-> and the most important thing:
I also didnt say that the whois change should revoke the cert but rather request a new authentication at renewal, which shouldnt be a problem since it should be automatic anyway (which is a reason why we even have 90 day certs, even if I dont like that).


#20

5 posts were split to a new topic: Authorization recycling


Authorization recycling