Certbot-auto's --expand keeps trying to use TLS-01


I tried to add a domain to a certificate, and certbot-auto (v 0.23) keeps trying to use TLS-01 as the auth method with --expand.

I have been able to overcome this by specifying --preferred-challenge=http-01, but I’d like to know how/why this is happening, because something seems broken on my end.

The cert being expanded - and everything else - in /etc/letsencrypt/renewal shows pref_challs = http-01,. I can’t find any option/setting/config in /etc/letsencrypt or /opt/eff.org that notes TLS-01. (The expanding cert was updated twice with a HTTP-01 too). There are no environment vars that suggest TLS-01 either.


The Certbot Apache and nginx plugins prefer TLS-SNI-01 if the server offers it (which is only the case for renewals of certificates that were originally issued this way prior to the CA-side deprecation of this challenge method). This default could be seen as existing because the TLS-SNI-01 support in these plugins is much older than HTTP-01 support and we would typically consider it more reliable and better-tested. (That obviously doesn’t mean that it will work better than HTTP-01 in every case or in every configuration.)


This is happening in the standalone plugin. Should I open a ticket?


Oh, that’s interesting! That’s a different matter, then. :slight_smile:

Is the saved preference in your renewal configuration literally called pref_challs rather than preferred_challenges?


Yes, in all of the files in /etc/letsencrypt/renewal…

I just tried changing it to preferred_challenges because I thought “maybe this setting was missed in a migration?”. I may have manually edited the tls into http a while back, and didn’t look to see if pref_challs had been renamed too.

This is now weirder…

All the existing domains were validated with the tls-sni-01 challenge.
The new/expanded domains were validated with the http-01 challenge.


That’s because the CA sends a list of which challenges it will accept for each domain, and that list is different for renewals than for new issuances. Certbot plugins pick challenges according to their own preference order, but only from among those that the CA accepted.

Apparently pref_challs is the correct name in this context (though it’s visibly different from the form of the command line name). @bmw, do you think there could be a bug here about the use of the pref_challs variable during renewal?


The standalone plugin also prefers TLS-SNI over HTTP by default.

There was a bug with this that was fixed in Certbot 0.10.2, but assuming you’re using a more recent version than that, values should be preserved during renewal as long as you’re renewing your certificate with the renew subcommand. If you can reproduce this value not being preserved with certbot renew on a renewal configuration file you haven’t modified by hand, please open an issue at https://github.com/certbot/certbot.


ok. using v0.23. I’ll test a --renew on this later to see if this happens with that flag; I have monthly snapshots of “/etc/letsencrypt” archived.


renew isn’t a flag, but a subcommand like certonly.

I think the problem you’re hitting here is that when you run certbot certonly, certbot run, or just certbot without a subcommand (which is the same as certbot run), it doesn’t reuse the values from the renewal configuration file. Only certbot renew does that, but you can’t use --expand with that subcommand as it simply renews existing certs without modifying them.

If you want to use --expand with another subcommand to add names to the certificate, you need to add all values you want saved in the renewal configuration file to the command line.


That’s exactly it and it makes sense. I expected --expand to use the renewal preferences.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.