Existing certs from TLS-SNI-01 to HTTP-01 manually- or automatically done


#1

My question is about renewal. Since we have to move away from tls-sni-01 we want to use http-01.
In the changelog of the certbot client it says:

I thought this meant that all my existing certs would be renewed with the new default method: http-01. But it does not! In my logs (/var/logs/letsencrypt) I see that version 0.21.1 is renewing with the old method tls-sni-01 it was creating certificates in the first place.

Do all existing certs be renewed automatically with the http-01 method? With (perhaps a newer version of) certbot upon the renewal cronjob?


#2

The tls-sni-01 method is still available in some special cases, one of which is renewals from the same account. Certbot 0.21 will automatically switch to http-01 in other cases. If you want to explicitly choose http-01 you can use the -- preferred-challenges option.


#3

Thank you jmorahan for your reply,

If I understand correctly this --prefered-challenge option could be added to the cronjob line. Can this also be set in de .ini settings file?

I know the tls-sni-01 method is e.g. available for existing certs that are created with this method, for a to-be-determined period of time. And there is an whitelist of clients that can use this method for as long as they are on that list. But how about the majority of clients that will not be able to use the sni method in the future, will the certbot app perhaps fallback and try at least the http-01 method?


#4

Yes, and I believe it can also be set in the individual renewal configuration files for each certificate.

Yes, from version 0.21.0 it should already be doing this.


#5

Okay thanks, I will try the preferred method options!

And you’re right about the new version is using the http-01 method as default. For creation, not for renewal. Can you confirm this?


#6

Yes, I believe the exception allows you to re- validate a domain that you previously validated using the same account, so that wouldn’t apply to a totally new certificate.

The CA tells the client (certbot) which challenges it’s willing to accept for each domain, and the client chooses one it can support from that list. So it falls back to http-01 when the CA doesn’t give tls-sni-01 as an option.


#7

That last sentence of yours that is information I was searching for, thank you very much!!

Is this info somewhere written down in human (English) readable documentation? Or you know this because you know the programming code… or?


#8

I personally know it from reading certbot’s logs :slight_smile: I don’t know if it’s explicitly documented anywhere other than the ACME spec though.


#9

You helped me out :slight_smile: !