Am I using TLS-SNI-01?


#1

I received the email about ANI-01 o few weeks ago. It mentioned a couple of the certs that I have claiming they are updated using TLS-SNI-01.

I’ve now had a chance to go to reconfigure these certs but when I went to do so, there was no mention of sni in the renewal files. Also when I run certbot renew --dry-run, everything works and is being authenticated via http-01.

Even though I am sure I’ve not made any changes, am I likely to be OK when SNI-01 is disabled?


#2

Assuming that your Certbot is version 0.28 or higher when you do the --dry-run, then yes, you are fine.

certbot --version

#3

Yeah, I’m on 0.28.

Thanks for the reassurance.


#4

There is still a slim chance that your renewal.conf file is forcing TLS-SNI-01.
In such cases it may still fail the automatic renewal even thou it can use HTTP-01.

For this first go 'round, I would keep an eye on your cert expiration dates with:
certbot certificates
[if all works as expected, you should not see them go with less than 30 days left]