Wild Card SSL Renew

Hello there , i just want to know that do we need DNS validation again when my wildcard ssl expires after 90 days, do we need to update TXT record again in DNS ?

FYI :- i am using acme.sh client for letsencrypt wildcard ssl.

Is there any way to renew certs before expiry ?

Yes.

Yes, but why would you want to do that?

2 Likes

i am handling a application, and don't want to client's certs get expired, so is the renew process would be same as we do for to generate the Wildcard ssl ?

If you look at the Integration Guide - Let's Encrypt from the LE documentation, you'd see LE recommends to renew after 60 days of the 90 day certificate lifetime.

By the way, I misunderstood your previous post about "early renewal". I thought you meant to force a renewal before 60 days into the lifetime of a cert. Obviously a certificate shouldn't first expire before renewal.

Technically a renewal is just a new, regular issuance of a certificate. The difference is is that a renewal contains the same hostnames as an earlier certificate. This is relevant for rate limit calculations. But otherwise, technically, a first certificate or a renewal is exactly the same.

3 Likes

ok when we renew our wildcard cert between 60-90 days of validation, do i need to update TXT record for dns validation ?

or it can be renewed using acme.sh cli commands ,

Valid authorizations are cached for just 30 days. Every renewal, when done properly (i.e.: after 60 days of the lifetime) require a new authorization and thus a new TXT record.

I'm not sure what you mean by this. acme.sh should have some kind of CLI command for the renewal, if not done through a systemd timer or cronjob. Just adding a TXT record to your DNS (what value are you going to add?) is obviously not enough, renewing is done by an ACME client, which would coordinate the adding and removing of the required TXT records, preferably automated.

2 Likes

So to Renew a cert i don't need any TXT record till 30 days, right ?

after 30 days i need to update new TXT record in DNS ?

yes of-course we are using ACME client for that, i am using this acme.sh client. i also has cli commands itself

But the main concern is :- To renew a cert i don't need any TXT record till 30 days, right ?
after 30 days i need to update new TXT record in DNS ? thats what you were saying in previous message

Correct, but there is no reason at all to renew at that moment, as your certificate is valid for 90 days. Also, by renewing using a cached valid authorization, you don't magically "reset" the time that valid authorization will be valid: it's 30 days from the original validation, not 30 days since its last usage for a renewal. So even if you'd force a renewal e.g. on day 29 of the original certificate with the cached validation, you won't be able to force a renewal on day 31 of the original certificate, as the original cached validation would have been expired and the renewal on day 29 wouldn't magically have generated a new valid authorization: it just used the old one.

So even if you'd use a cached validation, ultimately you would need to get a new one. Therefore, there is absolutely no reason at all to renew a certificate in the first 30 days!

Yes.

There's no need for "concern". A properly timed renewal just requires a new valid validation and for wildcards that requires a new TXT record. It's just part of how it works. Hostnames need to be validated properly or Let's Encrypt would loose its status as a public certificate authority, as it needs to abide by certain rules, which includes validation of hostnames.

4 Likes

Got it , Thankyou for this quick information.
I appreciate !!

2 Likes

You should review the DNS plugins acme.sh provides.
If your DSP (DNS Serice Provider) is covered, then the renewals can be automated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.