SELinux effect on cert renewal, access to .well-known/acme-challenge

In the process of working through an issue with verification that depended on access to the .well-known/acme-challenge, I discovered the the problem was that SELinux was blocking it, causing a 403 error. Running setenforce Permissive at the command line allowed me to create the cert and I've successfully installed it.

Will access be to .well-known/acme-challenge be necessary to renew the cert? Or is this verification process only performed during cert creation?

1 Like

Yes. The validations are cached for (currently) just 30 days. So if you renew the cert after 60 days, the validation is already invalidated.

No, renewing is just the term used for: "getting a brand new certificate, but with the same hostnames as a previously issued certificate". Technically, there's no difference between the first cert and a renewal. But it's useful to be able to differentiate between first certs and renewals for certain rate limit exemptions for example.


The validations may be cached for up to 30 days; but there is no guarantee for them to be cached at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.