Can a certificate obtained via HTTP-01 challenge be changed to use DNS-01 challenge?

Here's the order:

I see the challenges have only a single http-01 challenge:

The cert was originally obtained via HTTP-01 and am curious if changing is "allowed".


1 Like

"changing" a cert is a bit of a humanism - "let me renew my cert".
Certs can't be changed in any way.
Any change requires a whole new cert.
But, yes, you can "change" the way you get your certs from HTTP to DNS.
But I don't see how you can change it "mid-flight".
You may need to start a new request.
You can modify the renewal parameters directly (not recommended).
Or you can adjust the command run with the required DNS type and such.
Once a cert has been obtained, the renewal method is saved/updated for the next renewal.

Hopefully that answers your question.
If not, feel free to just ask.

[most of what is written is for ALL readers benefit - not directed solely at you]
READERS: Get involved. Be heard. Do your part with: If you read something you like, then like it :heart:

1 Like

Sorry, maybe I should have been more clear. If I obtained a cert using HTTP-01 validation. Can I renew it using DNS-01 validation? This is the "change" I'm talking about here.

The second link above should show a DNS-01 challenge, right? It's only showing an HTTP-01 challenge type.

You should be able to "renew" any FQDN in any of the allowed methods.
Which ACME client are you using?
And what is the actual command line used?

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

The application used is called Certera:
It uses the Certes ACME client under the covers:

No actual command line, per se, just different options when using the Certes client.
I'll dig into Certes to see if there are any known issues there.

The thing that's confusing is that it looks like the wrong challenge is being used, despite it working in other scenarios just fine.

They seem to use different variables/settings/calls.
var dnsChallenge = await authz.Dns();
var httpChallenge = await authz.Http();

and there may be CLI access as well:

[not a certes expert here - lol]

Ya, in the code, this is how it's done:
_acmeCertificate.IsDnsChallengeType() ? auth.Dns() : auth.Http()

It works great when things stay in their originally requested challenges. It's when it moves from one to another. Thanks for confirming. Just wanted to make sure it wasn't some strange restriction within ACME (I didn't think it would have been, just trying to rule it out to be 100% sure).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.