The dns challenge entry can be immediately cleared out, right?


#1

i’m looking at moving to the dns challenge for our development/staging certificates.

i haven’t found much docs on it, and I assume the entry can be cleared out immediately but wanted to be sure.


#2

Yes, once the authorization status is “valid,” you can clear out the DNS entry. Note: Don’t clear it out in response to receiving the DNS query, because there may be multiple queries in the future.


#3

Thanks for the fast reply. Do you mean “valid” as in “I got the cert”? Or could it be revoked a week later?

The usage I’m looking at is a script that does the following:

  1. Starts ACME challege
  2. updates DNS via API
  3. Tells ACME to check
  4. Gets cert
  5. Clears out DNS via API

we use LE certs on developer workstations to mimic the production stack, and the current system is annoying:

  1. update dns to public machine
  2. wait
  3. run certbot to grab the cert
  4. reset dns to 127.0.0.1 or lan ips
    5 deploy certs

#4

Technically, “valid” meaning when the Let’s Encrypt API says that the authorization’s status has shifted from “pending” to “valid”. That’s between steps 3 and 4 in your list, a moment before the “I got the cert” part.

You can absolutely delete the DNS records as soon as you get the certificate – in fact, a few seconds earlier – and there will be no further checks and it will not result in revocation.


#5

You may be aware of this but certbot has hooks for that now.


#6

whoa. i use the hooks already, but did not know that cerbot supported DNS-01 yet. wow. now i don’t have to use this third party library that i’m not crazy for!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.