Re: Question about letsencrypt certs

To: debian-user@lists.debian.org
Subject: Re: Question about letsencrypt certs
From: Andy Smith <andy@strugglers.net>
Date: Wed, 11 Jun 2025 14:46:26 +0000
Message-id: <[🔎] aEmWwq3kY4yhJGQS@mail.bitfolk.com>
In-reply-to: <[🔎] 0869e560dc907a404dfd385a43176588@ypeng.info>
References: <[🔎] 0869e560dc907a404dfd385a43176588@ypeng.info>

Hi,

On Wed, Jun 11, 2025 at 05:01:33PM +0800, Y Peng wrote:
> after deploying this server to the production environment, it is
> subject to strict network isolation and cannot access the internet.
> Will the Let's Encrypt certificate remain valid for a long time if it
> cannot access the internet?

Others have explained how Let's Encrypt certificates are valid for 90
days regardless of where they are used.

You are probably used to the most simple Let's Encrypt operation mode,
which is called HTTP-01. In this mode your client software (e.g.
certbot) makes a renewal request and then the Let's Encrypt servers
do an HTTP connection back to the host listed in the certificate in
order to check you have control over the name. This is obviously
problematic when the hostname in the certificate is partly or wholly
disconnected from the Internet.

DNS-01 is a different challenge mode. Instead of connecting back by
HTTP, Let's Encrypt will do a DNS query to look for some specific record
that proves you own the name. This is more complicated to set up but
much more flexible, since your client can run from anywhere and all you
need to publish is a record in DNS. If everything checks out then your
client ends up with the new certificate files, so then your final task
is to get those files where they need to be.

DNS-01 requires you to have the ability to modify your DNS, either by
standard nsupdate protocol (for when you run your own DNS) or using many
different APIs of different DNS providers. You can use certbot as a
client but I prefer something simpler like acme.sh.

iDNS-01 really shines in situations where you have many servers, lots of
certificates, certificates that need to be distributed to multiple
servers, servers that can't have the HTTP-01 challenges come back to
them, etc. and you already have some form of config management or
continuous delivery system.

See https://letsencrypt.org/docs/challenge-types/ for more info, but
remember that there are many clients other than Let's Encrypt';s own
certbot.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

Follow-Ups:
- Re: Question about letsencrypt certs
  - From: Alain D D Williams <addw@phcomp.co.uk>

References:
- Question about letsencrypt certs
  - From: Y Peng <hi@ypeng.info>

Prev by Date: Re: Why is my VM image so large?!
Next by Date: Re: Question about letsencrypt certs
Previous by thread: Re: Question about letsencrypt certs
Next by thread: Re: Question about letsencrypt certs
Index(es):
- Date
- Thread