Why Alternate Domain Control Validation (DCV) Methods Take Longer
When SSL certificate validation takes longer using DNS or HTTP methods. This article explains why alternate DCV methods may be delayed due to retry mechanisms, propagation time, and how to speed up the validation process.
As we all know, apart from the popular Email Challenge Response, there are a couple of alternate methods for Domain Control Validation (DCV).
These additional methods are:
- HTTP based DCV
- DNS CNAME based DCV
All three methods of DCV are invoked at the same time when the CSR is submitted to the Certificate Authority for enrollment. The certificate is issued as soon as the DCV is confirmed, irrespective of the method used.
In the case of Email Challenge Response, the CA system waits for a POST call with the response code which is submitted via the verification link that was sent to the approver email address.
While the CA system is waiting for the email challenge response, it also starts looking for the DNS CNAME record (or the Request Token for HTTP based DCV).
If they can't find the record or the request token in the first attempt, their system automatically retries after some time. But instead of waiting for a fixed amount of time, they follow a retry pattern with exponential back-off. With this method, the wait time increases with each failed attempt.
To illustrate this, here's a simple example:
After the initial attempt fails, the system would follow this retry pattern with increasing wait time before the next retry event occurs:
- 5 minutes
- 15 minutes
- 45 minutes
- 90 minutes
- 4 hours
- 10 hours
- 16 hours
- 24 hours
- and so on...
This is not accurate, but you get the idea. It goes like that for few days and then stops after it reaches the maximum retry count.
In most of the cases, the request token is not found when the CA system tries and retries few times because the record is either not added or there is a propagation delay. Since they are using the exponential back-off algorithm, the wait time for the next retry increases significantly and hence it may appear that the process requires manual intervention for every SSL order, but that's not true.
Additional Information: -- In order to minimize the wait time for alternate methods of DCV, we suggest that you add the CNAME record in the DNS zone a few hours before submitting the CSR. -- Lower the TTL so that propagation takes less time. -- This would ensure that the CA system is able to read the request token quickly from the DNS when you submit the CSR.