The Certbot team (especially @bmw @erica and @joohoi) have been doing amazing work modifying both the Apache and Nginx plugins to add support for HTTP-01 challenge types. That should fully resolve the ongoing TLS-SNI-01 problems for most Certbot users of these plugins. Our plan is to release those updates next week. In the mean time, we would love your help testing this new code. It’s in git master, so you can test it by running the development version of Certbot:
git clone https://github.com/certbot/certbot cd certbot sudo ./certbot-auto --os-packages-only export VENV_ARGS="--python $(command -v python2 || command -v python2.7)" tools/_venv_common.sh -e acme -e . -e certbot-apache -e certbot-nginx
After running those commands, the version of the
certbot command you cloned from git is available at
venv/bin/certbot. Please let us know if the commands
sudo venv/bin/certbot --nginx --preferred-challenges http and/or
sudo venv/bin/certbot --apache --preferred-challenges http are working for you as expected.
Known issues with these changes as of 2018-01-11:
- the Apache plugin may not succeed in using HTTP-01 Challenges on virtual hosts that redirect to a different webserver
- the Apache plugin may not succeed in using HTTP-01 Challenges on webservers that proxy-pass the
- the Nginx plugin may not succeed in using HTTP-01 if your nginx webserver does not have a server block on port 80 containing a
server_namedirective matching the domain you requested a cert for
- the Nginx plugin may be unreliable when using HTTP-01 if you have an IPv6 (AAAA) DNS record, but your server is only listening over IPv4.
At present, the Apache and Nginx plugins will only use HTTP-01 against the production Let’s Encrypt server. But when the LE servers re-enable TLS-SNI-01 for renewal only, the plugins will prefer TLS-SNI-01 in cases where the server allows it.