I’ve used LetsEncrypt for my domain which was behind a firewall. So I’ve used --preferred-challenges dns
to validate the domain. Command;
certbot -d mysite.nl -d mysite.suffix.nl --manual --preferred-challenges dns certonly
The server has been re-located, and is now accessible from the public internet. To ensure automatic renew would work as expected. I wish to set preferred-challenges
to HTTP-01
.
I deleted the cert with certbot --delete
, waited for 3 days, and re-created the cert with;
certbot --nginx --preferred-challenges http certonly -d mysite.nl -d mysite.suffix.nl -v
Unfortunately Certbot fails on the first domain, I guess the preferred challenge type is somehow cached, referring to the -v
debug payload;
...
Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Feb 2020 15:12:16 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 64374842
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102Y_7zUvaV_80imqneUGAKUGKAFASDAkY78Twpt5BcmcrwoA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "mysite.nl"
},
"status": "pending",
"expires": "2020-02-07T16:41:20Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2571911750/3WoMZA",
"token": "hgaABCc_GEXNQ0jwOXpGUFAKLJJFXFXi6Zj9b4jon-KQ"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2571911750/AOLM6Q",
"token": "hgaABCc_GEXNQ0jwOXpGUFAKLJJFXFXi6Zj9b4jon-KQ"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2571911750/7492Qw",
"token": "hgaABCc_GEXNQ0jwOXpGUFAKLJJFXFXi6Zj9b4jon-KQ"
}
]
}
Storing nonce: 0102Y_7zUvaV_80imqAGSDFSTF0VkY78Twpt5BcmcrwoA
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
How do I proper set the new http-01
challenge type?
Edit;
$ certbot --version
certbot 0.28.0
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch