Dry-run cert renewal shows incorrect challenge

Hi all:

I set up Let’s Encrypt for the first time this weekend, and after a serious learning-curve, I’m up and running. The only thing that concerns me at this point is that when I do a renew --dry-run, it lists a challenge that is incompatible with my configuration (I need http-01 because of Cloudflare). Here’s a snippet of the output:


Processing /etc/letsencrypt/renewal/www.forums.domainname.com.conf

Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.forums.domainname.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0024_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0024_csr-certbot.pem


Processing /etc/letsencrypt/renewal/domainname.com.conf

Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domainname.com
tls-sni-01 challenge for forums.domainname.com
tls-sni-01 challenge for www.forums.domainname.com
tls-sni-01 challenge for www.domainname.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0025_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0025_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/domainname.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/www.domainname.com/fullchain.pem (success)
/etc/letsencrypt/live/forums.domainname.com/fullchain.pem (success)
/etc/letsencrypt/live/www.forums.domainname.com/fullchain.pem (success)
/etc/letsencrypt/live/domainname.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

http-01 shows just fine until the end, when tls-sni-01 is listed. Does that mean when the renewal takes place, it will revert back to tls-sni-01? How could I combat this?

Thanks for any and all help!

Rob

I don’t understand that statement.
challenge requests should be passed through whether HTTP or .

Have you looked at: How to get a Let's Encrypt certificate while using CloudFlare

Hi @Deathspawner,

This is showing that you have two different certificates obtained with Certbot, one of them called www.forums.domainname.com and defined by /etc/letsencrypt/renewal/www.forums.domainname.com.conf, and the other called domainname.com and defined by /etc/letsencrypt/renewal/domainname.com.conf. Although these certificates may have overlapping coverage, they have an independent existence and get renewed separately. The former uses HTTP-01 and the latter uses TLS-SNI-01.

You can find out more about these two certificates by running certbot certificates.

Unfortunately, that’s not correct. The TLS-SNI-01 method looks at properties of the TLS session itself, not the content of web pages. Therefore, it requires that the machine that actually terminates the TLS protocol be prepared to serve an appropriate certificate. CDN machines are not prepared to do this, so using TLS-SNI-01 challenges with a CDN will fail.

The difference between the two challenge methods is not just what port number they validate on, but actually what information they are looking for to satisfy the challenge. In HTTP-01, it’s about file contents returned by the web request; in TLS-SNI-01, it’s about the presence of a particular certificate.

So, there is indeed an important reason to prefer HTTP-01 challenges when behind a CDN.

That article suggests using --webroot, which always uses HTTP-01 challenges rather than TLS-SNI-01 challenges. That’s why the advice there will work properly in the presence of a CDN.

1 Like

Another interesting subtlety here is that the --dry-run method is actually connecting to your server to verify challenges. So if your TLS-SNI-01 challenges are passing in --dry-run, they should also be able to pass with the real server—which might imply that you’re not actually behind Cloudflare at the moment.

Thanks so much for the responses!

I can’t figure out how to quote a response; apologies:

@rg305 The reason I am using http-01 is per a Cloudflare guide:

I admit that I am the biggest noob in the world when it comes to SSL, and the fact that I got it working at all is nothing short of a miracle. I don’t think I landed on that specific guide you linked, but it does seem to be on par with the Cloudflare recommendation linked above.

@schoen I am a little concerned that my entire configuration is beyond ridiculous. I didn’t understand how things were working, so when I check the certificates, it looks like I have a ton of duplicates.

root@domainname:/home/domainname# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: domainname.com-0001
Domains: domainname.com
Expiry Date: 2017-09-30 01:19:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/domainname.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domainname.com-0001/privkey.pem
Certificate Name: www.domainname.com
Domains: www.domainname.com
Expiry Date: 2017-09-30 01:20:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.domainname.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domainname.com/privkey.pem
Certificate Name: forums.domainname.com
Domains: forums.domainname.com
Expiry Date: 2017-09-30 01:19:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/forums.domainname.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/forums.domainname.com/privkey.pem
Certificate Name: www.forums.domainname.com
Domains: www.forums.domainname.com
Expiry Date: 2017-09-30 01:20:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.forums.domainname.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.forums.domainname.com/privkey.pem
Certificate Name: domainname.com
Domains: domainname.com forums.domainname.com www.forums.domainname.com www.domainname.com
Expiry Date: 2017-09-29 22:55:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/domainname.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domainname.com/privkey.pem

“which might imply that you’re not actually behind Cloudflare at the moment.”

If I use Qualys’ SSL Labs website to check the domain, it shows Cloudflare in the details, but based on CF’s wording, our setup implies that it’s our local certificates being used; not CF’s. I feel like I wish I could start entirely over at this point, because the configuration seems quite complex due to me not knowing what I was doing from the get-go.

Thanks for all of the feedback and help; much appreciated.

I’m not sure that CF can use your cert - they should not have your private key.
SSL Labs should show the IP used and the cert details.
Your servers’ IP and cert should be different - if you are behind CF.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.