Why do different Let's Encrypt orders return the same challenge?

I generated two orders for one domain name under the same account simultaneously, but the challenge tokens returned by the two orders are the same. Is this situation correct? Suppose I am a service provider providing free certificates to my customers. In that case, this means that when two of my customers apply for one certificate simultaneously, those who do not have control over the domain name can also obtain the corresponding certificate. If an account is created for each user separately, the problem of rate limiting is not easy to solve either, and there are restrictions such as IP when creating an account. Has anyone encountered the same problem?

This is “order reuse”: if the same account creates two identical calls to NewOrder, the same order will be reused.

As a service provider, you’ll have to make sure you keep your customers separate, for example by disallowing the same domain on multiple accounts.

6 Likes

LE reuses authorization too, so server likely skip validation for already validated for that account for about a month.

3 Likes

I do hope you have some kind of check if a customer is allowed to request certs for e.g. whitehouse.gov before you send the request to the ACME server, right?

1 Like

Yeah it's not your customers that are creating the certificate order, you are - they just asked via your service, but your service completed the request for them. If you enable it, they can do it.

3 Likes

Also, be sure to read through the Integration Guide:

And many of these kinds of specifics, of how Let's Encrypt implements the ACME spec, are also documented:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.