Hello there , i just want to know that do we need DNS validation again when my wildcard ssl expires after 90 days, do we need to update TXT record again in DNS ?
FYI :- i am using acme.sh client for letsencrypt wildcard ssl.
i am handling a application, and don't want to client's certs get expired, so is the renew process would be same as we do for to generate the Wildcard ssl ?
If you look at the Integration Guide - Let's Encrypt from the LE documentation, you'd see LE recommends to renew after 60 days of the 90 day certificate lifetime.
By the way, I misunderstood your previous post about "early renewal". I thought you meant to force a renewal before 60 days into the lifetime of a cert. Obviously a certificate shouldn't first expire before renewal.
Technically a renewal is just a new, regular issuance of a certificate. The difference is is that a renewal contains the same hostnames as an earlier certificate. This is relevant for rate limit calculations. But otherwise, technically, a first certificate or a renewal is exactly the same.
Valid authorizations are cached for just 30 days. Every renewal, when done properly (i.e.: after 60 days of the lifetime) require a new authorization and thus a new TXT record.
I'm not sure what you mean by this. acme.sh should have some kind of CLI command for the renewal, if not done through a systemd timer or cronjob. Just adding a TXT record to your DNS (what value are you going to add?) is obviously not enough, renewing is done by an ACME client, which would coordinate the adding and removing of the required TXT records, preferably automated.
yes of-course we are using ACME client for that, i am using this acme.sh client. i also has cli commands itself
But the main concern is :- To renew a cert i don't need any TXT record till 30 days, right ?
after 30 days i need to update new TXT record in DNS ? thats what you were saying in previous message
Correct, but there is no reason at all to renew at that moment, as your certificate is valid for 90 days. Also, by renewing using a cached valid authorization, you don't magically "reset" the time that valid authorization will be valid: it's 30 days from the original validation, not 30 days since its last usage for a renewal. So even if you'd force a renewal e.g. on day 29 of the original certificate with the cached validation, you won't be able to force a renewal on day 31 of the original certificate, as the original cached validation would have been expired and the renewal on day 29 wouldn't magically have generated a new valid authorization: it just used the old one.
So even if you'd use a cached validation, ultimately you would need to get a new one. Therefore, there is absolutely no reason at all to renew a certificate in the first 30 days!
Yes.
There's no need for "concern". A properly timed renewal just requires a new valid validation and for wildcards that requires a new TXT record. It's just part of how it works. Hostnames need to be validated properly or Let's Encrypt would loose its status as a public certificate authority, as it needs to abide by certain rules, which includes validation of hostnames.