Token has an expiration date?


#1

Hello, I am developing issuing certificate by DNS-01 method.
And using getssl client.

In my server, I run the getssl Client, then getssl Client give me a token
and when I added the token at Domain Name Server.
If it is success, then Let’s Encrypt gives me a certificate.

  1. I wonder about the token has an expiration time?
  2. Can I split getssl Client to use before issuing token and after user adds TXT Record at user’s DNS Provider?
    I want to do that in using same token.

Thx for reading!


#2

Successfully solving the ownership challenge gives you what ACME calls an authorization (or authz). This resource has an expiration date. It’s currently set to 90 days in production, with plans to change it to something like 7 days in the future. “1 authz == 1 certificate issuance” is probably the best way to think about it (or rather that’s what’ll cause the least amount of work for you down the line :smile:).

The token itself will change for every new authorization, so in other words you’ll need to deploy a new token (create a TXT record) for every certificate you request (i.e.: at least every 90 days). If what you’re asking is: Can I create a TXT record manually at one point, and then just keep getting certificates for years to come? - the answer would be no. You’ll either need the ability to automatically create the TXT record through some sort of API, or be willing to manually take care of this at least once every 3 months. GetSSL seems to have scripts for a number of DNS providers, and in case yours is not on that list, take a look at lego, which has a pretty big collection as well.

Finally, in case I misunderstood your question: There’s also a timeout for pending authorizations, which is basically the maximum time you have to solve the challenge (create the TXT record and have the CA server check it). I believe this is currently set to 7 days, so that should be plenty of time to deploy the TXT record. I haven’t seen anyone mention plans to shorten this period significantly, but I would expect it wouldn’t go below at the very least an hour, so that should still be plenty of time for a TXT record to propagate.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.