Group items tagged

The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains.

The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges

different ways that the agent can prove control of the domain

Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is simple—just send certificate management messages and sign them with the authorized key pair.

The CAA record consists of a flags byte and a tag-value pair referred to as a ‘property’.

example.com. CAA 0 issue "letsencrypt.org"

each CAA record contains only one tag-value pair

dig google.com type257

A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames.

a Renewal Exemption to the Certificates per Registered Domain limit.

The Duplicate Certificate limit and the Renewal Exemption ignore the public key and extensions requested

You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.

Revoking certificates does not reset rate limits

If you’ve hit a rate limit, we don’t have a way to temporarily reset it.

get a list of certificates issued for your registered domain by searching on crt.sh

If you have a large number of pending authorization objects and are getting a rate limiting error, you can trigger a validation attempt for those authorization objects by submitting a JWS-signed POST to one of its challenges, as described in the ACME spec.

If you do not have logs containing the relevant authorization URLs, you need to wait for the rate limit to expire.

having a large number of pending authorizations is generally the result of a buggy client