What are the conditions for challenges?

Many people reported that dns challenge is required for a wildcard certificate. This has also been my experience, BUT...

I swear to god I managed to use http challenge for it ONE TIME, but next time it required dns challenge.

Now it gets wackier, last time, I didn't need ANY CHALLENGE at all to renew my wild card certificate.

There have to be some conditions in the background, what are they explicitly?

If you renewed the cert within 30 days of its issuance ...


ah ok thanks, that answers it.

would be handy though if the authorization cache period would align with the recommended renewal period. Doesn't the first reminder come after 60 days already?

1 Like
  1. Due to the Baseline Requirements, a validation may not be cached longer than 30 days;
  2. Even if it were allowed to have valid authorizations with an unlimited lifetime, it doesn't make much sense to align the validation with the renewal period. Extending it to 60 days wouldn't make much sense, as it would take a few seconds for an ACME client to set everything up and thus it would mis the cached validation probably JUST. Extending the period to 90 days would mean you could get a SINGLE renewal with the cached validation, but every NEXT renewal would require a new authorization anyway. So the only thing you gain is a 50 % reduction in validations. And as Let's Encrypt is all about automation, this reduction of 50 % doesn't make much sense, as every validation would require no effort by the user anyway.

I believe the BR actually allows for reuse up to 398 days, but that's ridiculous (at least for these automated DV-only certificates) so Let's Encrypt's policies limit themselves to only 30 days. (And they're considering shortening that time significantly to make their compliance easier.)

Let's Encrypt does try to send a reminder email when there are 20 days left (so after 70 days), but really that's a last-ditch effort that tells you that your automation is broken. In a well-working system, your certificate would already be renewed or you'd be getting alerts from your automation that it's failing well before then.


Hm, I think you're correct after reading section 4.2.1. The 30 days was from the token, but the token doesn't come into play any longer once the authz is valid.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.