[buug] letsencrypt DNS (validation)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Tue May 9 08:14:27 PDT 2017

Curious if you're seeing actual DNS problems, or
problems with DNS validation method, or if it's
"just" issues with TTLs and negative caching and
perhaps a modest bit of latency on propagation (e.g.
to all delegated nameservers plus a few seconds or so ...
more than that?).

> From: "Ian Zimmerman" <itz at primate.net>
> Subject: Re: [buug] letsencrypt
> Date: Mon, 8 May 2017 14:46:28 -0700

> On 2017-05-07 21:53, Michael Paoli wrote:
>> Well, I seem to recall (which may *not* be fully accurate)
>> ... that the default behavior is renewal attempts start at 30 days
>> before expiration, and continue daily thereafter until successfully
>> renewed/replaced.  I'm fairly sure that information is in the
>> various documentation/FAQ(s) or the like - at least that's where I
>> seem to recall having read it before.
> Re-reading certbot.eff.org, it does indeed say "distant future" is
> defined as 30 days.  My bad for missing it the first time.
> Given that, I think I'm comfortable with a daily cronjob.  It would be
> _really_ unlucky for letsencrypt DNS to be fscked 30 consecutive days.
> Thanks for the ideas, I'll add them to the "when bored" list :-)

More information about the buug mailing list