Hi, Please allow me to apologise in case, I later find more details about this question. However a great deal of what I find seems related to HTTP challenges.
About 80 days ago, I went through a great deal of re-configuation on my server to allow me to use a wildcard certificate from Lets Encrypt to handle both web site traffic and also e-mail exchanges. It has been working great and now its time to renew. Woops. It got complicated.
I have full control over my DNS server, as I run my own fully. This was the biggest challenge I had in getting up and running initially but its done and I was ready to implement auto-renewels. However I seems to find that what I expected to take place is not quite what is actually happenning. I would be very greatful for some guidance.
When I was issued the initial certificate, I placed the _acme-challenge record into my DNS, the auth succeeded and off I went using the certificate.
I expected the when it came time to renew I would request a renewel and then have to change the DNS _acme-challenge record. I DELETED THE ORIGINAL record. I am using uacme and trying to script the auto-renewel. The script I have from uacme, started complaing that it could not find an _acme -challenge record. As I deleted the original, I create an empty record. This is also not accepeted. In the process I hot rate limits and now I have a week to wait.
I moved over to the staging area (should have done this to start doooh), but there I managed to manually create a new certificate and manually entered ist _acme-challenge record on my dns. All went weel , as a test, but I wanted to emulate what happens if I force an renewel.
It was not as I expected. It seems that the renwel is possible without needing to change the _acme-challenge on my dns server. This was totally unexpcted and leads me to believe that without the original _acme-challenge AUTH key which is assocciated with my REAL certificate. I will not be able to renew that certificate and I will be forced to start again. That is of course unless I can extract the _acme-challenge key from the certificate?????
If anyone could take a moment run me through what happens when, at which point in the life of a new, renewed, revoked certificate the _acme-challenge record is actually queried by Lets Encrypt.
I am not seeing requests for the record on my DNS server when I revoke and then issue a new certificate in the staging area. I assume the the record is cached in the DNS system and I do not see that Lets Encrypt is actually testing it.
However I expected a new AUTH key ever time I issued, or renewed a certificate. I think this was an invalid assumption.
All the best