Clear/Reuse pending authorizations #218

New Issue

Closed

opened 2025-12-29 01:19:08 +01:00 by adam · 1 comment

adam commented 2025-12-29 01:19:08 +01:00

Owner

Copy Link

Originally created by @KimBrodowski on GitHub (May 2, 2017).

I'm running a server behind a dynamic IP. Just before a cert was about to expire and the cronjob to renew it kicked in the IP address changed. Due to a 2nd instance of dehydrated running on the same network LE's dns servers had cached the old IP address for 60 seconds (DNS TTL).
This lead to a situation where requests could not be verified and many pending authorizations were created ultimately leading to hitting LE's rate limit. This can easily be avoided by either deactivating the authorizations explicitly if one in the chain required for the cert fails or just trying to validate them. It doesn't matter if the request succeeds or not: The pending authorization will be gone. Alternatively dehydrated could cache the values and use them in later requests.

A similar issue and the solution mentioned above is documented on the LE forums here: https://community.letsencrypt.org/t/clear-pending-authorizations/22157

Originally created by @KimBrodowski on GitHub (May 2, 2017). I'm running a server behind a dynamic IP. Just before a cert was about to expire and the cronjob to renew it kicked in the IP address changed. Due to a 2nd instance of dehydrated running on the same network LE's dns servers had cached the old IP address for 60 seconds (DNS TTL). This lead to a situation where requests could not be verified and many pending authorizations were created ultimately leading to hitting LE's rate limit. This can easily be avoided by either deactivating the authorizations explicitly if one in the chain required for the cert fails or just trying to validate them. It doesn't matter if the request succeeds or not: The pending authorization will be gone. Alternatively dehydrated could cache the values and use them in later requests. A similar issue and the solution mentioned above is documented on the LE forums here: https://community.letsencrypt.org/t/clear-pending-authorizations/22157

adam closed this issue 2025-12-29 01:19:09 +01:00

adam commented 2025-12-29 01:19:09 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Apr 8, 2018):

This is no longer relevant, authorizations should now be automatically re-used on serverside, any further (DNS or other) caching issues are outside the scope of dehydrated.

@lukas2511 commented on GitHub (Apr 8, 2018): This is no longer relevant, authorizations should now be automatically re-used on serverside, any further (DNS or other) caching issues are outside the scope of dehydrated.

adam referenced this issue 2025-12-29 01:29:00 +01:00

[PR #218] [CLOSED] letsencrypt.sh#217: FreeBSD sed doesn't parse challenges properly #757

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#218