How is certbot renew able to obtain a certificate when I have an Apache directive like this:
Require ip 192.168
This should and does block external source IPs, verified from a few public VPS instances.
Does the acme server combined with certbot cache results for a certain period before doing the actually renewal with a new http challenge? It reports success both with a --dry-run and with --force-renewal.
Note: I'm wondering WHY it DOES work...it shouldn't since I have no other challenges configured and external source IPs are blocked.
? I don't have my DNS configured for dynamic updates. Note: I'm not asking HOW to make it work, I'm saying it DOES work and it shouldn't because I have all IPs blocked and other public requests are respected and blocked as far as I can see.
Yes, I'm using the Apache plugin. You're right about the source code too. I guess there are multiple factors at play here. That also correlates well with my experience since another server has renewed fine after many months with similar restrictions in place.
I have the IP restriction to limit login access while I test changes or developments. No need to proxy. Now that I know about it, this feature to remove restrictions from the virtual host is good, but so is documentation
If I remember the details correctly from the ACME flow, Certbot doesn't know for sure whether the validation is cached. It could sort of figure it out (by observing that no challenge was required for proof of control of a particular name), but it's the certificate authority that's making that choice and determination, and the certificate authority isn't proactively sending a message saying "your authorization was cached".
To be more precise, the "cached validation" isn't something that's stored client-side by Certbot, but is more like an entry in Let's Encrypt's certificate authority databases. Certbot does have a private cryptography key representing an account that the user has with Let's Encrypt, but Certbot doesn't directly know exactly what permissions or authorization that account possesses at a given time. It can only observe the behavior of a certificate authority on particular occasions.
(Edit: I agree with the idea that this would be useful information for users to know! I'm just mentioning that I think it would be challenging, no pun intended, to provide that information in the current architecture.)
yeah, I would even expect that kind of notification without -v but I like technical details (without debug dumps) in general. Thanks for the input, you've given me some clues on what and how to look for other details.