V2 API - number of authorizations after many renewals

Hi all

I’m doing some capacity planning to understand how many objects (orders, authorizations) do I have to track over time for long-lived certificates.

Given a certificate is issued via the API v2
When the certificate has been renewed 8 times over 2 years
Then will the order object be reused by Let’s Encrypt?
And how many authorisations could the order contain?

Best,
Marius

Orders that have been completed to the point of issuance will have a status equal to “valid”. Valid order’s aren’t reused, only pending and ready.

That’s dependent on the number of identifiers in the order.

1 Like

I’m working with orders containing exactly one identifier.

For a pending order, containing one identifier, will there ever be more than one pending authorization?

Nope, always just one. If there is an existing pending (or valid) authorization for the same identifier under your ACME account it may be reused instead of creating a new pending authorization but there will never be more than one authorization returned by Let’s Encrypt’s RFC 8555 implementation if there is only one identifier in the new order request.

All of the above is specific to Let’s Encrypt and not ACME generally. RFC 8555 doesn’t specify any object reuse and doesn’t dictate how the server decides what authorizations are required for the identifiers in a new order request.

Hope that helps,

2 Likes

By and large, you shouldn’t have to track orders or authorizations at all. Your client should make detailed logs, but you don’t need to keep a database of orders or authorizations. If you look at how most ACME clients are implemented, they probably just use the order and authorization information given by the ACME server in the moment, and don’t save it permanently.

Edit:

For a high volume, automated implementation (e.g. a web hosting company), it might be worth tracking failed authorizations and orders. So that, for example, if a customer’s domain expires, you might automatically stop trying to renew their certificate. (For a low volume implementation, you can just have sysadmins manually investigate things, and the data store doesn’t need to be very clever.)

And you may want to at least temporarily keep track of pending authorizations to avoid the pending authorization rate limit – under normal circumstances, the only pending authorizations on your account should be for certificate requests that are actively in progress. But depending on your client’s error handling (like if one challenge fails) – or if something worse happens like the computer coincidentally crashing while the ACME client is running – and how many certificates it tries to get in parallel and in what order, you can leak enough pending authorizations to eventually run into trouble.

4 Likes

I fall into the “hosting company” category so thanks for the excellently pointed out “pending authorizations rate limit” tip!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.