How to change preferred challenge for renewals?


Further to a comment made in another thread:

“your client is still using the tls-sni-01 challenge type … This has been deprecated for all new issuance, but is still enabled for renewals. At some point in the future, that will no longer be the case”

This seems a little worrying to me, so I have a couple of questions:

  1. How do I know if my current certificates are being renewed using tls-sni-01?

  2. I have been using certbot 0.26.1 (under Ubuntu 16.04) and creating certificates with:

sudo certbot --apache -d

How do I ensure that certbot uses another challenge method by default for future automatic renewals of my domains (from what I can tell, http should be OK for me as I’m using the Apache plugin)?



Hi @gilgongo

there is a logfile


There you can find the challenge type used.

there is a --preferred-challenges http - option. Certificates with new sets of domain names are created with http-01 (new default challenge).

To change the challenge type of your older domains: Renew these one time manual or add --preferred-challenges http to your cron job, use that 3 months, then all certificates should be renewed.


Thanks - I’ve set my cron job to run as:

certbot -q renew --preferred-challenges http


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.