I’m investigating using a Let’sEncrypt multi-domain cert where I was previously using a wildcard cert from another provider. What I’m finding is that when I add 1 new domain to the list of valid domains, that the time it takes Let’sEncrypt to re-authenticate all the existing domains is quite long, whereas the part of the time taken for the new domain is only a few seconds.
For example, if each domain takes 5 seconds to authenticate:
We have an existing Let’sEncrypt cert for 90 domains which have all been successfully authenticated
We want to add one new domain
Let’sEncrypt re-authenticates all 90 domains plus the new 1
Time taken is 455 seconds
Is there any way to configure the cert request such that only the 1 new domain needs to be authenticated and so the cert request only takes the shorter 5 seconds?
Seems this may be due to the library I’m using (https://github.com/dmathieu/sabayon) to request the certificate rather than due to the way Let’s Encrypt works, but I’m not sure. Can anyone comment?
It may depend how recently the previous certificate was issued. The ACME protocol has a concept of authorization (authz) which connotes authority to request certificates for a particular name. There is a period of time during which your client could reuse this authorization (whether it does depends on how the client is implemented) instead of obtaining a new one, which could make reissuance with an additional name faster because the DV challenges wouldn’t have to be re-performed for the existing names.
Apparently sabayon registers a new account with a fresh account key for every attempt to issue a certificate; this means there is no possibility to reuse existing authorizations (which are tied to the previous account key). This avoids the risk of leaking the account private key (which would allow the attacker to issue certificates for your domains while the authorizations are valid), but slows down the issuance process, as you noticed.
Currently authorizations are valid for 60 days, but there were some plans to decrease that time.
If the issue with registering a new account on every attempt were resolved, how long should I expect it to take to add 1 new domain to an existing cert of 90 domains? Still 455 seconds or would this be shortened?
I’m only concerned about the time it takes to add a new domain, rather than how long it takes to renew the certificate every 60 days.