The lifecycle of a valid authorization

munmar · September 5, 2019, 2:17pm

Hi

RFC 8555 - Automatic Certificate Management Environment (ACME) says

Note that just because an authorization URL is listed in the
"authorizations" array of an order object doesn't mean that the
client is required to take action. There are several reasons that
the referenced authorizations may already be valid:

o The client completed the authorization as part of a previous order

What can be said about how Let's Encrypt reuses authorizations?
Once valid, how long will an authorization be reused for?

Best,
Marius

Phil · September 5, 2019, 6:44pm

@munmar,

An authorization aka authz is valid for 30 days and that value is set via the RA configuration.
Example: https://github.com/letsencrypt/boulder/blob/master/test/config-next/ra.json#L10-L11

mnordhoff · September 5, 2019, 10:44pm

However, that may change in the future. There is no guarantee that an authz will be valid for 30 days. The number may be changed, or some authorizations may be deactivated unexpectedly.

An ACME client should always be prepared to validate again, rather than counting on authz reuse.

munmar · September 6, 2019, 2:38pm

Thanks for the details - it all sounds more or less how I imagined it to be.
I’ll be making no assumptions and be ready to validate around the clock

system · October 6, 2019, 2:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.