Will renewal always require new DNS acme-challenge TXT?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sandbox.surplussales.com

I ran this command: Auto added to Task Scheduler by wacs: wacs.exe --renew --baseuri “https://acme-v02.api.letsencrypt.org/

It produced this output: So the task always says, it completed successfully. I ran it manually and the wacs window keeps dissapearing, so I finally managed to get a print screen. The first [EROR] is “Error preparing for challenge answer” but then it says “should not be needed in --renew mode” Second [EROR] “Renewal for LetsEncrypt-SandBox-PPIPN failed, will retry on next run”

My web server is (include version): IIS 8.0

The operating system my web server runs on is (include version): Win2012

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): wacs = 2.0.8.356 (ACMEv2)

Unable to figure out why the automation renewal keeps failing, I finally ran wacs manually with no command line arguments. I went through the “renew ALL” process and it requested I make additions and deletions for TXT records in my DNS. After doing this manually, I did successfully renew my cert.

What I am wondering, am I locked into doing this manually and creating/deleting records on two DNS servers each time? Was there a bug in 2.0.8.356 which prevented --renew from requiring DNS verification each time? (I hate changing versions - I understand the purpose, but it seems like I always have to start over from scratch each time – I know ACME is fairly new too, so maybe it gets better.)

Hi @CodeCharmer

Will renewal always require new DNS acme-challenge TXT?

General answer: Yes. If you want to create a new certificate (a renewed certificate is a new certificate with the same domain name and the same method), you have to create a new order -> new random value -> new DNS TXT entry.

Special answer: If you use the same account and the same system (test or productive system), valid challenges are cached 30 days. So you don’t need a new TXT entry.

Thanks @JuergenAuer!

So if I am understanding correctly, the solution is - I should not wait for 80-90 days for certificate to expire, I should change my Scheduled Task to run (renew the certificate) every 28 days in order to renew the certificate before the 30 day cache expires.

Thx

Issuing a new certificate doesn’t change the challenge’s expiration time; you could only do that once, and it would only buy you 28 days over your original certificate, for a total of 118 days.

Additionally, while validations are currently almost always cached for 30 days, it’s not guaranteed, and Let’s Encrypt may change it in the future.

No, that can't work.

Normally, use 60 - 80 days to start the renew. If something doesn't work, you should have enough time to fix it. Don't wait 80 - 90 days.

Exactly—the 30 days is measured from the time that the TXT record was successfully validated, not from the time that any certificate was issued.

1 Like

Others have explained why this won't do what you're expecting, but even aside from that, the usual recommendation is to run the renewal task daily--a sensible client will check the cert and see how long it's valid, and only do the renewal if it's valid for less than 30 days from the time you're running the task. Scheduling the task as you have it now risks having your cert expire if anything (network outage at your end, service interruption with Let's Encrypt, buggy config file, etc.) causes the one renewal task within the cert's validity window to fail.

As to your underlying problem, the real solution is to use a combination of client and DNS host that allows the former to programmatically make updates to the latter. Without that, DNS validation is going to be frustrating.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.