[Answered] DNS-01 Manual question

This most likely is a dumb question, but this is my first time really diving into LE.

I have Certifytheweb and LE set up and issued certs (utilizing DNS-01 manual TXT record), and deployed them to servers. Playing around, I have requested new certs (after enabling PFX password etc.) without issues.

My question is this: when it comes time to renew (14 days before expiration), will Certifytheweb/LE require/generate a new TXT record to be uploaded in our DNS host manually? Or will it always use the same TXT record? I’m confused on this because I’ve requested a new cert and LE provided the cert automatically, so I’m not sure if that TXT record has to be updated…

Hi, you should absolutely avoid using Manual DNS as your normal domain validation method. We support it only for evaluation/testing and it is not automated.

Yes, when your cert renews you will definitely need to update DNS manually again if you use this method. Let’s Encrypt currently caches validations for 30 days so if you re-request a cert for the same domain within that timeframe it doesn’t make you validate again, but proper renewals will.

See also this reply to another thread regarding Certify DNS (a dns challenge response service we run): Renewal Failure - No order for ID XXX - #5 by webprofusion

Okay so 14 days before the cert expires, certifytheweb will request a new cert, which will be past the 30 day cache, which would then prompt us to enter the DNS TXT code manually.

For us, this is most likely an acceptable practice. We only have two certs (a single subdomain.domain.tld and a wildcard *.domain.tld).

Our issue with setting up automation is that we’re unsure if certifytheweb (or other ACME clients, maybe Digicert) have SOC 2 or HECVAT documentation/compliance (we’re Higher Ed), and providing credentials into our DNS host (which doesn’t offer the ability to limit API scopes for DNS modification, so the API provided would have full reign of the DNS host). Purchasing Certify-DNS or other similar (and supported) ACME DNS would be another option that we may look into (certify at like 20$/year is reasonable - but again with compliance unknowns).

I appreciate your explanation and it is definitely an answer to the question posed.

Thanks, just to clarify, if you provide DNS credentials they are stored on your own server encrypted using the Windows Data Protection API (DAPI). They are not distributed outside of your own server.

Other options available to you are:

Regarding compliance, our company (based in Australia) is currently too small to meet most international compliance standards as we are unable to provide things like team separation of duties or regular audits etc. We leverage the data security/sla features of our own cloud providers such as AWS, Cloudflare and Google Cloud. We do have about 30 US .edu customers and several are using Certify DNS (which is $4.99 a month).

Personally I think the top option (running your own DNS zone just for answering DNS challenges) is the easiest and most cost effective, as I would strongly suspect you have the technical ability to implement that (not everyone does!).

Your information is greatly appreciated. I would say most likely utilizing Certify DNS and doing the CNAME delegation is probably the easiest and most practical way to do things in our scenario.

Thanks so much for clarification and suggestions!