Some versions of certbot will use tls-sni-01 by default (for renewals) when it’s available, but will switch automatically to http-01 when it’s not. If you’re using one of those versions, a --dry-run will run against the staging server where tls-sni-01 is already disabled, so it simulates what will happen in the future when tls-sni-01 will be disabled on the live server. If your setup works correctly in that test, then you should be fine.
1 Like