LetsEncrypt certificate renewal switching from dns to http

Question

I recently switched from dns-01 to http-01 callenge type for letsencrypt as I plan to sign my dns zones in the future and therefore automated zone manipulation is no longer wanted. Ever since I made this change I can no longer renew some of my zones (I assume that these zones are the ones I initially signed via dns-challenge). My older zones (from first usage - using http from the start) work just normal.

Just to clear things up I'm using the dehydrated-client from lukas2511. I added some debug output to check if there is a problem in that script - and it seems like there is not.
After requesting the challenge I receive the response:

{
  "identifier":{
    "type":"dns",
    "value":"dennisschuerholz.de"
  },
  "status":"valid",
  "expires":"2017-04-16T11:43:43Z",
  "challenges":[
    {
      "type":"http-01",
      "status":"pending",
      "uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/<some foo>/133324572",
      "token":"<some token>"
    },
    {
      "type":"tls-sni-01",
      "status":"pending",
      "uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/<some foo>/133324573",
      "token":"<some token>"
    },
    {
      "type":"dns-01",
      "status":"valid",
      "uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/<some foo>/133324574",
      "token":"<some token>",
      "keyAuthorization":"<some bar>",
      "validationRecord":[
        {
          "Authorities":[
            "dennisschuerholz.de.\t900\tIN\tNS\tns3.schuerholz.it.",
            "dennisschuerholz.de.\t900\tIN\tNS\tns1.schuerholz.it.",
            "dennisschuerholz.de.\t900\tIN\tNS\tns2.schuerholz.it.",
            "dennisschuerholz.de.\t900\tIN\tNS\tns.schuerholz.it."
          ],
          "hostname":"dennisschuerholz.de",
          "port":"",
          "addressesResolved":null,
          "addressUsed":""
        }
      ]
    }
  ],
  "combinations":[[0],[2],[1]]
}

I don't really get why the dns challenge type still contains (outdated) information about the domain and if the "expires"-key has something to do with this.

If I now try to respond to the challenge the status stays at pending forever.

{
  "type":"http-01",
  "status":"pending",
  "uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/<some foo>/133324572",
  "token":"<some token>"
}

It seems that I'm stuck to dns challenge type and would like to know why and how to revert it (if possible). I just used the same script and domain on the staging-path (https://acme-staging.api.letsencrypt.org/directory), that's working fine.

I didn't try it - guess it could work but I would really like to understand what's going on — Dennis Schürholz, Sep 19 '16 at 16:19
Just tried it with one of the other domains - it doesn't change the behaviour — Dennis Schürholz, Sep 19 '16 at 16:21

score 1 · Accepted Answer · answered Sep 20 '16 at 14:35

serverco from the LE-Community explained to me whats going on.

Once a domain has been validated, that authorisation is remembered for a period of time ( 90 days currently I believe), so requesting via a different type of challenge ( http in your case) will result in always getting a "pending" unless the script takes notice of the "status":"valid". [..] dehydrated [..] should recognise the valid status, and simply obtain a new certificate.

I now supplied a patch to my dehydrated version which skips the challenge if it's not required.

LetsEncrypt certificate renewal switching from dns to http

1 Answers1