How to change preferred challenge for renewals?

gilgongo · August 19, 2018, 10:36pm

Further to a comment made in another thread:

"your client is still using the tls-sni-01 challenge type ... This has been deprecated for all new issuance, but is still enabled for renewals. At some point in the future, that will no longer be the case"

This seems a little worrying to me, so I have a couple of questions:

How do I know if my current certificates are being renewed using tls-sni-01?
I have been using certbot 0.26.1 (under Ubuntu 16.04) and creating certificates with:

sudo certbot --apache -d www.domainname.com

How do I ensure that certbot uses another challenge method by default for future automatic renewals of my domains (from what I can tell, http should be OK for me as I'm using the Apache plugin)?

Thanks.

JuergenAuer · August 19, 2018, 10:49pm

Hi @gilgongo

there is a logfile

/var/log/letsencrypt/letsencrypt.log

There you can find the challenge type used.

there is a --preferred-challenges http - option. Certificates with new sets of domain names are created with http-01 (new default challenge).

To change the challenge type of your older domains: Renew these one time manual or add --preferred-challenges http to your cron job, use that 3 months, then all certificates should be renewed.

gilgongo · August 20, 2018, 6:32am

Thanks - I’ve set my cron job to run as:

certbot -q renew --preferred-challenges http

system · September 19, 2018, 6:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.