How to set preferred-challenge in renewal conf

bitinn · December 11, 2018, 8:31am

So I have a problem where my site is now behind Cloudflare and hence could not renew using tls-sni-01 challenge, fair, I should use http-01 instead.

Problem is, I don’t know how to set it up properly in renewal config.

authenticator = nginx
installer = nginx

is my current setup, it works without Cloudflare.

And I have ran both of these commands successfully when behind Cloudflare:

sudo certbot renew --dry-run --webroot --webroot-path /path/to/server/root
sudo certbot renew --dry-run --preferred-challenge http-01

TL;DR; Questions

Should I use webroot for authenticator instead?
Can I keep nginx authenticator but enable preferred-challenge in renewal conf?

(Note that I was using preferred-challenge, not preferred-challenges, don’t know if it’s a legacy flag, but it works…)

(I edited the title to better reflect my question)

_az · December 11, 2018, 8:38am

If authenticator = nginx works, that’s great. It supports the http-01 challenge.

I think webroot is usually combined with certonly/installer = none, so that Certbot can run without modifying your nginx configuration.

But if you’re using the nginx installer, you may as well use the authenticator as well.

bitinn · December 11, 2018, 8:41am

To be clear, my problem is:

sudo certbot renew --dry-run doesn't work, as it default to tls-sni-01
sudo certbot renew --dry-run --webroot --webroot-path /path/to/server/root works, but it uses webroot, which is not what I want.
sudo certbot renew --dry-run --preferred-challenge http-01 works, but I don't know how to set it up in renewal conf.

I don't want to modify the cron job itself, there must be a way to set a preferred challenge in conf?

_az · December 11, 2018, 8:48am

Somewhat unintuitively, the key name is pref_challs. I tried it out in Certbot 0.29 and it's still working in /etc/letsencrypt/renewal/*.conf.

github.com/certbot/certbot

Preserve preferred-challenges on renewal

certbot:master ← certbot:pref-challs

opened 01:59AM - 25 Jan 17 UTC

bmw

+110 -32

Fixes #4105. I changed how we represented `--preferred-challenges` internally… to stop it being stored in a configuration file like: ``` pref_challs = <class 'acme.challenges.HTTP01'> ``` Alternatively, I could have written some kind of export function, but I think changing the internal value is easier and less error prone. As off writing this, no third party plugin uses the value (which isn't surprising since we don't make it clear they can). The same value now looks like: ``` pref_challs = http-01, ```

bitinn · December 11, 2018, 8:53am

Thx, confirm that it works

rg305 · December 11, 2018, 9:10am

I believe if this works, it will automatically update the renewal conf files:
sudo certbot renew --preferred-challenge http-01

bitinn · December 11, 2018, 4:41pm

Here is the thing, you might be right, because after running this line my next attempt to

sudo certbot renew --dry-run did work.

BUT the renewal conf wasn't updated, I don't know what was changed, but something has been changed for sure. Even though the output still contains a line like:

tls-sni-01 challenge for mydomain.com

The dry-run passed, which is not possible because tls-sni-01 challenge would fail when you are behind Cloudflare.

So there is a possible issue here:

Somehow --preferred-challenge http-01 did change some config in certbot, but certbot still report the http-01 challenge incorrectly as tls-sni-01

Either way, I decide it's for the best I just change renewal conf manually and add pref_challs = http-01 for my own sanity.

Thx all.

mnordhoff · December 11, 2018, 5:45pm

An authorization can be reused for a certain amount of time -- in other words, validations are cached.

(They're attached to your ACME server account, and the production environment and staging environment have separate databases.)

However, Certbot doesn't know that. Even if it gets back an older, valid authorization, it goes through the motions of validating it again. Certbot will configure the challenge and its output will be normal, but Let's Encrypt won't actually try to validate it again.

I think what happened is:

That created valid authorizations for all applicable hostnames, using HTTP-01.

Then you did:

It probably reused all of the valid authorizations from before. Certbot set up a TLS-SNI-01 challenge, but Let's Encrypt probably never actually tried to access it.

You can confirm it by carefully examining the voluminous logs in /var/log/letsencrypt/.

"sudo certbot renew --preferred-challenge http-01" should update the renewal configuration files for any certificates that were renewed, but "sudo certbot renew --dry-run --preferred-challenge http-01" wouldn't.

schoen · December 12, 2018, 1:11am

That’s correct; --dry-run is never meant to modify your configuration, only to see whether your existing (or proposed) configuration works properly.

Without --dry-run, Certbot can save the renewal parameters you specified into your renewal configuration file if the certificate issuance succeeds.

system · January 11, 2019, 1:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.