Validation Of Let's Encrypt


#1

It appears that letsencrypt no longer, as of a couple months ago, validates domains lacking the xxx.domain. com (where xxx is, for example, www). If you try to get a cert for multiple domains and any one of those lacks the first part (the xxx) then the whole cert fails. That’s reasonable. You don’t issue a multi-domain cert if any of the validations for any of the domains fail. That would be fine, however the validation process does not tell you which one fails, nor is there a user friendly explanation anywhere that I could find that lays out an explanation of the true cause and solution.

The obvious solution is to ensure that you always have the xxx part of xxx.domain. com and then ask for the cert.

Further, the validation process doesn’t just look at the DNS record, it appears to look at files on your web server for validation, such as trying to query the domain or writing to files. If a website itself is not configured to use the xxx part of the .com name then the validation will fail in the same way, without explaining what it checked that actually caused the failure, instead it dumps a list of all domains claiming they all fail the validation.

Does anyone have a way around this? I don’t understand why I can’t add a simple domain .com to my cert instead of it requiring that I have xxx part of the to my cert.

I’d appreciate any advice. I’m sorry if I sound dumb in explaining that. It took me a while to figure out what was wrong and cert validation failures caused days of delay due to maximum validation retries (per 24 hours). It was/is frustrating to run into all these issues every 90 days.
Suresh Rao
Creator of My Talking Hank Mod


#2

If you can prove the control of your domain ( example.com ) then you can get a certificate for example.com, and not only anything.example.com.

Nothing has changed on Let’s Encrypt concerning that.

When experimenting you should use the staging area, to avoid these limits. Certificates generated using the staging area are NOT valid, but if you can generate them, it mean you can generate the real ones.


#3

Hi Suresh,

Nothing related to this has changed recently.

Let’s Encrypt currently has two main validation methods to obtain a certificate.

The HTTP-01 validation requires you to create a file at a specific location on the corresponding web site. If that web site isn’t set up, you might not be able to do this.

The DNS-01 validation requires you to create a DNS TXT record with a specific value in the DNS zone for the corresponding domain name. There doesn’t need to be a web server or web site set up in order to do this.

The Let’s Encrypt CA always communicates which validation failed and some information about why. However, a given client application might not convey that information to the user in a useful way or show all of the details returned by the CA. There are dozens of different tools to obtain certificates from Let’s Encrypt

and each one can have different behavior. If you’re having trouble with a particular client application not giving you useful information, you’ll have to let us know which one.

Someone on the forum flagged your post because of the link to your app in your signature. I’ve marked your post as non-spam (and edited it to remove the link so that other people won’t flag it again), but please don’t use the forum to promote things that aren’t related to your problems or questions. Links posted here won’t improve search engine ranking because the forum software adds rel="nofollow" to every link to tell search engines not to consider these links for search ranking purposes.

Thanks!


#4

Hi @sureshrao

this is a problem of your client, it’s not a general limit. I am using my own client, there are names like www.example.com, example.com is added automatic. Because I need only combinations of example.com + www.example.com.

Check your logs. There should be order-urls

https://acme-v02.api.letsencrypt.org/acme/order/yourAccountId/yourOrderId

Open with a browser, you can follow the authorizations - links. There is the validationRecord record used. Or the http-01 - challenge is valid, the other challenges are pending.

This is a limitation of some clients. My own client is able to send mails. So I would get a mail if something goes wrong.


#5

There was another thread not too long ago making the same (incorrect) claim. When asked what made that poster think this was the case, he didn’t answer. Can you clarify why you believe this to be the case?


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.