Will you allow overlapping certificate requests?


#1

Will you grant a request for a new cert for same FQDN, prior to the previous one expiring, without requesting a revocation?


#2

There might be some exceptions, but in the general case this will be allowed, and this is the behavior relied on by the renewer script.


#3

What’s that?
The domain?


#4

Fully qualified domain name. It’s the entire/full hostname of a computer including the domain it’s on.

For example this instance of Discourse is running on a host called community on the letsencrypt.org domain.

The FQDN of the host is community.letsencrypt.org.


#5

Ah okay. Thanks for the information.

And it’s good to hear that you can sign multiple certs before the old one expires.
This is for example very useful if you want to sign backup certs for HPKP.


#6

I took the question to mean would certificates for the following both be possible

community.letsencrypt.org
letsencrypt.org
www.letsencrypt.org

#7

You have listed three separate FQDN’s, but in answer to what you thought was asked: yes - since LE won’t, initially, be supplying wildcard domain certificates you would have to get certificates for all three.


The OP was asking, using your example, if they already had certificates for the three domains listed, could they request new certificates for each without revoking the previous certificates.


#8

Actually, there’s an additional requirement to this than controlling the domain name.

If the LE server is aware of a previous certificate issued for the domain, you will be required to sign a Proof of Possession statement asserting that you have the private key for the already-issued certificate.

Certificate Transparency logs will be used to do that IIRC.


Limit notAfter date if whois shows domain will expire soon?
#9

CT logs, Rapid7s Sonar SSL scans, and the DSO will be used as sources for existing certificates.


#10

Oh nice. So much more than just CT logs…


#11

And if you know if another good source of data about certificate issuance, feel free to contribute it!


#12

If the LE server is aware of a previous certificate issued for the domain, you will be required to sign a Proof of Possession statement asserting that you have the private key for the already-issued certificate.

I’m wondering how does this affect expired domains that have been re-registered?

Or do CAs revoke certificates automatically when domains expire?


#13

Hi @georgeappiah, right now Let’s Encrypt doesn’t have a way to automatically detect events related to expiration of domain names. It seems like in this case the new registrant could try to get the previous CA (or previous domain registrant) to revoke the existing certificate, or else wait for it to expire. I realize that that could be inconvenient in some cases, but we don’t seem to have a reliable data source that gives us an easy alternative!


#14

That’s great because this is very valuable for running different services (e.g. SMTP, IMAP, HTTPS, …) under the same FQDN.


#16

@plugwash, I believe you will be required to prove possession of only one of them (but we should try to confirm that).


#17

I don’t mean to dig up an old post or take away from the overlapping cert conversation, but I think it is worth clarifying in this thread that you can use one cert with SANs to accomplish this instead of a wildcard or 3 certs. Let’s Encrypt does this with the naked domain and the www: