Many people reported that dns challenge is required for a wildcard certificate. This has also been my experience, BUT...
I swear to god I managed to use http challenge for it ONE TIME, but next time it required dns challenge.
Now it gets wackier, last time, I didn't need ANY CHALLENGE at all to renew my wild card certificate.
There have to be some conditions in the background, what are they explicitly?
If you renewed the cert within 30 days of its issuance ...
ah ok thanks, that answers it.
would be handy though if the authorization cache period would align with the recommended renewal period. Doesn't the first reminder come after 60 days already?
I believe the BR actually allows for reuse up to 398 days, but that's ridiculous (at least for these automated DV-only certificates) so Let's Encrypt's policies limit themselves to only 30 days. (And they're considering shortening that time significantly to make their compliance easier.)
Let's Encrypt does try to send a reminder email when there are 20 days left (so after 70 days), but really that's a last-ditch effort that tells you that your automation is broken. In a well-working system, your certificate would already be renewed or you'd be getting alerts from your automation that it's failing well before then.
Hm, I think you're correct after reading section 4.2.1. The 30 days was from the token, but the token doesn't come into play any longer once the authz is valid.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.