I relocated and my new internet provider blocks port 80 among others. Therefore I am considering to switch to dns based validation, but I wonder whether this essentially requires to reissue all my certificates (a three digit number) or whether I can switch them with a script.
I also created the DNS record manually for now, following the guide @ https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04, but that have to be changed and at what frequence, or is that kind of permanent?
Thanks, Joachim
2 Likes
Once a certificates is issued, it is no longer bound to the way it was obtained.
[not sure it ever even was - but that is subjective]
DNS TXT authentication records are not a permanent one-time entry.
Each time the ACME client makes a renewal request a new TXT record will be negotiated and must be placed (superseding the previous one) into the expected DNS record.
The frequency is directly linked to your renewal schedule.
Again, you can't possibly know the TXT record that will be required at the next renewal; so there is no way to put that information in there beforehand.
You need to read and better understand the DNS challenge type and how it is handled.
[which, in order to fully automate, requires that the DNS service provider allow for DNS updates via API]
3 Likes
Thanks, but still wondering...
a) renewal configuration contain a reference to the authenticator used - is this ignored during renewal?
b) the guide I referenced uses CNAME rather than TXT records - which is not in RFC 8555. just don´t know whether this addresses the TXT update or not.
Actually I figured out that the blocking of ports by an ISP violates EU regulation 2015/2120. I really hope this blocking disappears soon..
Thanks, Joachim
2 Likes
a) No, the information from the last renewal/issuance is reused.
b) CNAMEs merely "divert" DNS requests to another "location".
TXT records contain actual information (in a plain TEXT format).
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.