Reuse letsencrypt dns challenge

Zulakis asked:

With letsencrypt, certificates have to be renewed every 90 days. Everytime a cert is renewed, ownership of the domains included in the cert has to be proven again.

It is possible to do so by adding a _acme-challenge DNS record. Is it possible to set this DNS record the first time it’s used for validation, and reuse it for subsequent validations, so that it is not necessary to set a new DNS record every time certificates need to be renewed?

My answer:


It would not be cryptographically secure to reuse the same challenge.

If it were to be reused, anyone could receive a certificate for your domain name, because the “proper” data was already there!

This is why a new challenge is issued each time.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.