Testing renewal in staging

I’m writing my own little ACME client, and it works quite well so far. It uses the DNS challenge in the staging environment. I’m able to create accounts and successfully issue and verify new certificates.

Now I want to implement the renewal functionality. But once an order has been finished, LE always provides the existing certificate, without re-validating the challenges. I know this is intended, but I want to test the renewal and therefore I need re-validating.

My understanding so far is: Protocol-wise there is no difference between issuing and renewal. When a cert is 60 days old, I get a new challenge. Am I wrong with this?

How do I force re-validation and therefore simulate renewal when my cert isn’t 60 days old?


I'm not sure.. but I think once a order has been full filled, it will not provide anything other than the certificate or error message...

You would need to request a new order... To be on renewal (that's why new order and renewal have no difference)

Thank you

Thanks for your reply.

That's what I do. I generate a new CSR and place a new order. But LE still considers my domains as verified and doesn't give me new challenges.

The only way to re-test the verification seems to be creating a new account every time. But this can't be intended. I need to implement/test renewal on an existing account without waiting 60 days.

I feel stupid since this seems to be a very basic problem and I just don't get it.

The “expires” field of an authorization shows when it will expire. Let’s Encrypt currently sets valid authorizations to expire after 30 days, but this could change in the future.

If you want to get rid of an authorization ahead of time, it can be deactivated. You either have to implement that, or switch accounts.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.