CmdLets Repeatedly asking for DNS Text Records

[mrdenny]

I've put together some PowerShell scripts which wrap your cmdlets. For some reason that I can't figure out I'm prompted to create TXT records pretty randomly when I get updated certificates. Any idea what triggers needing DNS verification when the verification has already been done?

[rmbolger]

Hi @mrdenny. ACME validations are generally required for every name in a cert on every renewal. Some CAs such as Let’s Encrypt will cache successful validations for a period of time (30 days for LE) such that if you create a new order that contains names with cached validations, those names won’t require revalidation for that order. But names that hadn’t been previously validated or had their cached validations expired will need to revalidate.

[mrdenny]

Ok, I think that's the trick. I was refreshing the cert 30 days before it expired, but that's outside the cache window. I'll update like 70 days before it expires as that should be within the 30 days that it was cached and hopefully will reset the timer.

[rmbolger]

Unfortunately that wont work. The validation cache timer doesn’t get reset without actually performing a new validation. So renewing at 30 days will get you a new 90 day cert. But the next time you renew after that, even the very next day, you’ll be challenged to revalidate those names. Forcing revalidation is part of the CA/B requirements that all public CAs must abide by.

The 30 day window also isn’t part of the ACME spec and is likely to be different or nonexistent for other CAs. Even Let’s Encrypt has said they will likely be lowering that cache window eventually down to 7-10 days.