My question is about renewal. Since we have to move away from tls-sni-01 we want to use http-01.
In the changelog of the certbot client it says:
I thought this meant that all my existing certs would be renewed with the new default method: http-01. But it does not! In my logs (/var/logs/letsencrypt) I see that version 0.21.1 is renewing with the old method tls-sni-01 it was creating certificates in the first place.
Do all existing certs be renewed automatically with the http-01 method? With (perhaps a newer version of) certbot upon the renewal cronjob?
The tls-sni-01 method is still available in some special cases, one of which is renewals from the same account. Certbot 0.21 will automatically switch to http-01 in other cases. If you want to explicitly choose http-01 you can use the -- preferred-challenges option.
If I understand correctly this --prefered-challenge option could be added to the cronjob line. Can this also be set in de .ini settings file?
I know the tls-sni-01 method is e.g. available for existing certs that are created with this method, for a to-be-determined period of time. And there is an whitelist of clients that can use this method for as long as they are on that list. But how about the majority of clients that will not be able to use the sni method in the future, will the certbot app perhaps fallback and try at least the http-01 method?
Yes, I believe the exception allows you to re- validate a domain that you previously validated using the same account, so that wouldn’t apply to a totally new certificate.
The CA tells the client (certbot) which challenges it’s willing to accept for each domain, and the client chooses one it can support from that list. So it falls back to http-01 when the CA doesn’t give tls-sni-01 as an option.
I don’t know if it’s explicitly documented anywhere other than the ACME spec though.