5

With letsencrypt, certificates have to be renewed every 90 days. Every time a cert is renewed, ownership of the domains included in the cert has to be proven again.

It is possible to do so by adding a _acme-challenge DNS record. Is it possible to set this DNS record the first time it's used for validation, and reuse it for subsequent validations, so that it is not necessary to set a new DNS record every time certificates need to be renewed?

Dave M
  • 4,514
  • 22
  • 31
  • 30
Zulakis
  • 4,153
  • 14
  • 48
  • 76
  • It seems that you can, and there are already some github goodies https://github.com/xenolf/lego ...and this one if you have a website that can host challenge files https://github.com/diafygi/acme-tiny – Sum1sAdmin Apr 26 '16 at 11:03
  • I believe the answer is no, but you may be able to automate the process instead. See eg https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks – Håkan Lindqvist Apr 26 '16 at 18:42
  • I find the client ACME works well, it does auto-renewals just fine, unlike the official client which is really terrible on Amazon Linux https://github.com/hlandau/acme – Tim Apr 28 '16 at 20:19

2 Answers2

3

It would not be cryptographically secure to reuse the same challenge.

If it were to be reused, anyone could receive a certificate for your domain name, because the "proper" data was already there!

This is why a new challenge is issued each time.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 1
    Well, if the dns record was bound to the account key, no one without the account key could request another key. If domain ownership changed, there wouldn't be a matching dns record for the account key anymore, making this secure for this scenario aswell. Am I incorrect on this? – Zulakis Apr 28 '16 at 10:58
  • I think you're right @Zulakis, but that would imply that let's encrypt is also responsible for tracking domain ownership and probably they don't want to do that. – Federico Feb 15 '21 at 01:45
0

Imagine this:

  • You have the domain xyz.com validated and bound to your ACME account.
  • On the domain there is privacy protection active - which means, usually all the domains with this feature active on the same registry (e.g. GoDaddy.com) have thereby the same contact on the domain's whois.
  • Someday you decide you dont want to renew this domain or miss the expiration date and the followup grace period(s) to renew it.
  • Someone new registers this domain, enableds privacy protection.

In such a bound scenario, this person would now be unable to use Letsencrypt for this domain name, because its bound to your ACME account.

This person would now have to send documents etc. to ACME. And they need to check them, need to get in touch with you so you have the chance to react (could be a fraud in the end). This would cause a ton of work for everyone involved. The new domain owner, letsencrypt - and - possibly you (if its really a fraud attempt). How could this effort be justified for a free service? Meanwhile - the new legal owner - would be still unable to use Letsencrypt to get a certificate, all because of a missing revalidation - while there are options existing, that you don't even have to do this validation manually (see below).

This would create a massive chaos. Lets encrypt is there to enable relatively simple creation of certificates, but that doesnt mean validation-free. Whenever ordering a certificate, a validation has to be made. You can make the thing a lot easier, for example by using CNames for all your subdomains, even using CNames for secondary domains pointing to your primary dns zone to only change record(s) in one place rather than x places, and you can even automate the process by using APIs from your dns zone management service (e.g. Cloudflare), combine it with the ACME api - and automate the whole process from changing the records to fetching the certificate - and , if your infrastructure allows - even replacing the certificates locally.

And there are even great freeware GUI / Cli that you can use for that, once setup, they do the renewing upon your behalf, and some of them can even also replace the certs locally. Just make sure to use respectable / checked client before you feed it with access credentials for all the services.

Me personally, I use the REST API from my DNS Zone Management Service and the ACME Rest API, to automatically renew all certificates, automatically changing the IIS domain bindings, adding the corresponding certs to each employee computer's cert store - updating the thumbprints on the database (for second layer client validation) - in the end, just a couple of hundreds of lines of relatively simple code.

A client that often gets suggested (commandline) is CERTBot. A GUI client I used back in the past: CertifyTheWeb. But its been a while since I used those, so please research (again) before using.

TronTronic Entertainment
  • 1
  • Hi TronTonic, welcome to Serverfault! Your answer is - as far as I can see - based on the premise of binding validation to an ACME account. My suggestion however is completely different: Reusing DNS challenge tokens. Once domain ownership changes, the new owner can request a new challenge token from LE and validate their certificates. The old owner additionally loses the power to create certificates for the domain, because the old challenge token is not present on the new DNS anymore. – Zulakis Sep 26 '22 at 11:42