brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
67281e2931295d74ce51e9850d01b0e09a6ce15d
oam/knowledge base/letsencrypt.md
Michele Cereda d3cd3c432e chore(letsencrypt): tell about tld limitations
2025-01-06 19:40:08 +01:00

3.8 KiB
Raw Blame History

Let's Encrypt

  1. Challenges
    1. DNS-01 challenge
  2. Limits
    1. TLDs must be public
    2. Duplicate certificates
  3. Further readings
    1. Sources

Challenges

Refer Challenge types.

DNS-01 challenge

Requires one to prove one has control over the DNS for one's domain name.
This also allows one to issue wildcard certificates for the domain name in question.

Proof is achieved by creating a TXT record with a specific value under that domain name. The procedure is as follows:

  1. The ACME client requests Let's Encrypt a token.
  2. The client, or anything else capable, creates the TXT record in the DNS at _acme-challenge.{{ domain name }}.
    The value of the record needs to be derived from the token and one's account key.
  3. The client requests Let's Encrypt to query the DNS system for the TXT record.
  4. If Let's Encrypt finds a match, one can proceed to issue a certificate.

This process kinda only makes sense to leverage the DNS-01 challenge type if one's DNS provider allows for automation.

Let's Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation.
As such, one can use CNAME or NS records to delegate answering the challenge to other DNS zones, meaning this can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.

One can have multiple TXT records in place for the same name.
However, make sure to clean up old TXT records: Let's Encrypt will start rejecting the request if the response size from the DNS gets too big.

Limits

TLDs must be public

Domain names must end in a public TLD to be certified by Let's Encrypt.

As long as the domain to certify is listed in the Public Suffix or IANA lists, Let's Encrypt should be able to create certificates for it.
One can check the domain on https://letsdebug.net/ to confirm it.

Duplicate certificates

Refer Duplicate certificate limit.

One can request a certificate issuance for the same exact set of hostnames up to 5 times per week.
Once that limit is exceeded, one should receive an error message like the following:

too many certificates (5) already issued for this exact set of domains in the
last 168 hours: example.com login.example.com: see https://letsencrypt.org/docs/duplicate-certificate-limit

In this error message example, the exact set is ["example.com", "login.example.com"].

Revoking previously issued certificates will not reset the duplicate certificate limit.
Nor that limit can be overridden at the time of writing.

As a workaround, one can request one or more certificates for a different exact set of hostnames.
E.G., requesting a certificate for [example.com, test.example.com] will succeed; similarly, requesting separate certificates for the [example.com] and [login.example.com] sets will succeed.

Further readings

Sources