Skip to main content

Let's encrypt: renew vs new, or: why renew [Resolved]

Might be a stupid question but: where is the difference between renewing a Let's encrypt certificate and just getting a new one?

Related question and background for this question: do I need to keep the account data from certbot? As long as I can validate my domain I will get a new certificate.

What am I missing?

Question Credit: sc911
Question Reference
Asked March 17, 2019
Posted Under: Network
1 Answers

From an ACME protocol perspective, there is no difference...which is to say, there's no such thing as a renewal. All new certs come from a new "order". Most clients just abstract the concept of a renewal by saving the details you originally used to create the certificate and re-using those same details to get a new cert. For reference, here's the recently finalized ACME specification, RFC 8555.

The ACME account data that certbot creates for you is only necessary if you need to revoke a certificate and don't have the private key available. There's nothing technically stopping you from creating a new account for every certificate you create other than the published rate limits. From the doc:

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

Creating a separate account per server is fairly common. There's usually no need to synchronize a single account across multiple machines.

credit: Ryan Bolger
Answered March 17, 2019
Your Answer