[buug] letsencrypt DNS (validation)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Tue May 9 08:14:27 PDT 2017
Curious if you're seeing actual DNS problems, or
problems with DNS validation method, or if it's
"just" issues with TTLs and negative caching and
perhaps a modest bit of latency on propagation (e.g.
to all delegated nameservers plus a few seconds or so ...
more than that?).
> From: "Ian Zimmerman" <itz at primate.net>
> Subject: Re: [buug] letsencrypt
> Date: Mon, 8 May 2017 14:46:28 -0700
> On 2017-05-07 21:53, Michael Paoli wrote:
>
>> Well, I seem to recall (which may *not* be fully accurate)
>> ... that the default behavior is renewal attempts start at 30 days
>> before expiration, and continue daily thereafter until successfully
>> renewed/replaced. I'm fairly sure that information is in the
>> various documentation/FAQ(s) or the like - at least that's where I
>> seem to recall having read it before.
>
> Re-reading certbot.eff.org, it does indeed say "distant future" is
> defined as 30 days. My bad for missing it the first time.
>
> Given that, I think I'm comfortable with a daily cronjob. It would be
> _really_ unlucky for letsencrypt DNS to be fscked 30 consecutive days.
>
> Thanks for the ideas, I'll add them to the "when bored" list :-)
More information about the buug
mailing list