Wanted to know the let's encrypt domains verification process hosted region

Hi @cpu @JuergenAuer @webprofusion I am using the lets encrypt with cloud front on aws and we are allowing our users to add domains in our system. But when we are adding the domains in aws cf it takes 15-20 mins to fully deploy in all the regions. And somehow we see that the domains is not fully propagated within 15-20 mins in the region where your server validate the domains for issuing SSL certificate. Can you please help me how we can speedup this process or I can request aws to first update the configurations in your region so that your server can validate the domains quckly and we can get the SSL qucikly. We want to reduce the whole process timing :slight_smile:

The production validation requests currently all [seem to] come from Salt Lake City (?), United States (from Viawest network).

But there’s no guarantee that they’ll stay that way. Multi-VA (validation from many vantage points) is probably going to be ported to production eventually. That, and they could start (or already) perform validations from their second location in Colorado.

Aren’t you bottlenecked by the speed at which Cloudfront propagates its distribution settings to edges? Are they really gonna re-engineer it for you?

It may require some clever thought and energy, but might be well worth the effort: You could use DNS to validate a whole lot quicker (almost instantly).

Of course you would require a prerequisite from your HTTPS customers - they would need to setup a record in their zone to CNAME to your authentication zone.

@rg305 we don’t want our cusotmers attention on this we want everything behind the scene and don’t want any sort of head-ache for them.

Then you would need a limited staging/processing environment.
That would restrict the location until the process completed and then you can spread it out globally.

@cpu and @JuergenAuer can you please check my case and give me any solution on this.

There’s not much Let’s Encrypt can do.

As @_az said, you can determine where Let’s Encrypt validates from now, but it is explicitly undocumented and unguaranteed, and will change in the future.

You can also approach it from the other direction, and consult your CloudFront or origin logs to see where Let’s Encrypt’s requests usually go.

But CloudFront’s network is growing too, and neither side can guarantee which PoPs requests will hit.

The only real solution is for Amazon to deploy changes globally more quickly, or for you to make some sort of architectural changes.


Hi @Jagjit

I'm not from Letsencrypt, I'm a freelancer, working in Berlin, Germany. I use Letsencrypt certificates in my own project.

1 Like

It’s worthwhile to keep in mind that your user’s site is not reliabily available to the world until it’s propagated to all regions. So you need to wait 15-20 minutes befote telling your user the site is “ready” anyhow. Once it’s ready, it should only take a few seconds to request and install a certificate, assuming you have it automated. Does CloudFront give you an API to check for when your domains are propagated?


I assume this is using s3 buckets to store the website and http challenge responses? It’s not a simple solution but if you can intercept /.well-known/acme-challenge/ http requests you can supply the response directly from a cache you control (possibly in a specific region).

Something like, but not necessarily the same as: https://aws.amazon.com/blogs/networking-and-content-delivery/dynamically-route-viewer-requests-to-any-origin-using-lambdaedge/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.