How to change preferred challenge for renewals?

Further to a comment made in another thread:

"your client is still using the tls-sni-01 challenge type ... This has been deprecated for all new issuance, but is still enabled for renewals. At some point in the future, that will no longer be the case"

This seems a little worrying to me, so I have a couple of questions:

  1. How do I know if my current certificates are being renewed using tls-sni-01?

  2. I have been using certbot 0.26.1 (under Ubuntu 16.04) and creating certificates with:

sudo certbot --apache -d

How do I ensure that certbot uses another challenge method by default for future automatic renewals of my domains (from what I can tell, http should be OK for me as I'm using the Apache plugin)?


Hi @gilgongo

there is a logfile


There you can find the challenge type used.

there is a --preferred-challenges http - option. Certificates with new sets of domain names are created with http-01 (new default challenge).

To change the challenge type of your older domains: Renew these one time manual or add --preferred-challenges http to your cron job, use that 3 months, then all certificates should be renewed.

Thanks - I’ve set my cron job to run as:

certbot -q renew --preferred-challenges http

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.