Step by Step Help on initial cert issuing and then updating using DNS-01

Hi, Please allow me to apologise in case, I later find more details about this question. However a great deal of what I find seems related to HTTP challenges.

About 80 days ago, I went through a great deal of re-configuation on my server to allow me to use a wildcard certificate from Lets Encrypt to handle both web site traffic and also e-mail exchanges. It has been working great and now its time to renew. Woops. It got complicated.

I have full control over my DNS server, as I run my own fully. This was the biggest challenge I had in getting up and running initially but its done and I was ready to implement auto-renewels. However I seems to find that what I expected to take place is not quite what is actually happenning. I would be very greatful for some guidance.

When I was issued the initial certificate, I placed the _acme-challenge record into my DNS, the auth succeeded and off I went using the certificate.
I expected the when it came time to renew I would request a renewel and then have to change the DNS _acme-challenge record. I DELETED THE ORIGINAL record. I am using uacme and trying to script the auto-renewel. The script I have from uacme, started complaing that it could not find an _acme -challenge record. As I deleted the original, I create an empty record. This is also not accepeted. In the process I hot rate limits and now I have a week to wait.
I moved over to the staging area (should have done this to start doooh), but there I managed to manually create a new certificate and manually entered ist _acme-challenge record on my dns. All went weel , as a test, but I wanted to emulate what happens if I force an renewel.
It was not as I expected. It seems that the renwel is possible without needing to change the _acme-challenge on my dns server. This was totally unexpcted and leads me to believe that without the original _acme-challenge AUTH key which is assocciated with my REAL certificate. I will not be able to renew that certificate and I will be forced to start again. That is of course unless I can extract the _acme-challenge key from the certificate?????

If anyone could take a moment run me through what happens when, at which point in the life of a new, renewed, revoked certificate the _acme-challenge record is actually queried by Lets Encrypt.
I am not seeing requests for the record on my DNS server when I revoke and then issue a new certificate in the staging area. I assume the the record is cached in the DNS system and I do not see that Lets Encrypt is actually testing it.

However I expected a new AUTH key ever time I issued, or renewed a certificate. I think this was an invalid assumption.

Please clarify.

All the best
Aidan

1 Like

When you successfully authorize a domain, the ACME server will not ask for new authorization for about a month.

1 Like

Valid authorizations are cached for 30 days, so you can renew without having to add a new TXT record for 30 days for a specific hostname, once an authorization for that hostname has been validated.

The tokens you need to add to the _acme-challenge TXT record are different for every authorization and is not directly connected to your certificate in any way.

No, only for a new authorization, not for a certificate specifically.

1 Like

Thanks guys, so things are a little more clear now.
However it is past 30days since the original issuance, therefore from what you are telling me. When I try again to renew this certificate, (after the damned rate-limiting has expired), I WILL be challenged through DNS again ..... and will therfore need to make sure nsupdate can in fact modify the _acme-challenge record.
Will I still need the original _acme-challenge AUTH KEY, or does this become irrelevant? I assume so after this 30 day 'cache' period.

Does this in fact mean that if you where to force a renewel repeatedly within this 30day 'cache' period, I would not need to do a DNS-01 challenge again. But once the initial 30 days or over, the renewel would expect to have a new DNS-01 challenge satisfied?

Is there any way to get the staging area to forget this 30 day challenge cache period. As I specifically want to test the auto-renew process on my systems. If my interpretation of your answers are correct, the only way I can test a renewal 'WITH DNS-01 CHALLENGE' is to wait 30 days after initail issuance and then try to renew, therby forcing a new AUTH KEY.

Thats a bit of a shame as I will not have this tested fully for my live certificate, which by the time the rate limiting resets, will have only 1 valid day remaining. :slight_smile: :slight_smile:
Thanks all.
Aidan

1 Like

Everytime you request a validation (challenge), the challenge key will be different.

You are "supposed" to validate every single time you request a certificate for each hostname. However, it's just cached for ~30 days at your ACME account. But, Yeah.

If you get the certificate first, then try to renew with staging, there shouldn't be any cache. (I don't remember the cache apply toward staging)

1 Like

Irrelevant, every new authorization requires a new token.

Correct. However, there's no need to force anything, that would only lead to more unnecessary load on the Let's Encrypt infrastructure. And therefore rate limits.

That depends on the capabilities of your ACME client. Certbot for example will first somehow (not sure how exactly) invalidate previously existing authorizations when it's envoked using the --dry-run option. However, you're using a different ACME client I'm not familiair with, so no idea if it also supports such a feature.

1 Like

Hi,

While it is possible to manually update your TXT record in DNS as you can see it can be error prone and a little confusing. Instead if you need DNS validation you should either script updates to your DNS or use CNAME redirection to DNS server that you can update (either a DNS services or acme-dns etc).

While you don't always have to change the TXT record value (for various reasons) you should generally expect it to be required for each renewal and you should seek to automate your DNS challenges as soon as possible.

For a linux client with extensive DNS provider support check out acme.sh (GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol). You can also script DNS challenge updates in uacme but you will need to come up with the script yourself. Certbot also has support for a few DNS providers. Posh-ACME can also be used and has extensive DNS support, if you have PowerShell installed (yes, PowerShell is cross platform).

2 Likes