How to set preferred-challenge in renewal conf


So I have a problem where my site is now behind Cloudflare and hence could not renew using tls-sni-01 challenge, fair, I should use http-01 instead.

Problem is, I don’t know how to set it up properly in renewal config.

authenticator = nginx
installer = nginx

is my current setup, it works without Cloudflare.

And I have ran both of these commands successfully when behind Cloudflare:

sudo certbot renew --dry-run --webroot --webroot-path /path/to/server/root
sudo certbot renew --dry-run --preferred-challenge http-01

TL;DR; Questions

  • Should I use webroot for authenticator instead?
  • Can I keep nginx authenticator but enable preferred-challenge in renewal conf?

(Note that I was using preferred-challenge, not preferred-challenges, don’t know if it’s a legacy flag, but it works…)

(I edited the title to better reflect my question)


If authenticator = nginx works, that’s great. It supports the http-01 challenge.

I think webroot is usually combined with certonly/installer = none, so that Certbot can run without modifying your nginx configuration.

But if you’re using the nginx installer, you may as well use the authenticator as well.


To be clear, my problem is:

  • sudo certbot renew --dry-run doesn’t work, as it default to tls-sni-01
  • sudo certbot renew --dry-run --webroot --webroot-path /path/to/server/root works, but it uses webroot, which is not what I want.
  • sudo certbot renew --dry-run --preferred-challenge http-01 works, but I don’t know how to set it up in renewal conf.

I don’t want to modify the cron job itself, there must be a way to set a preferred challenge in conf?


Somewhat unintuitively, the key name is pref_challs. I tried it out in Certbot 0.29 and it’s still working in /etc/letsencrypt/renewal/*.conf.


Thx, confirm that it works


I believe if this works, it will automatically update the renewal conf files:
sudo certbot renew --preferred-challenge http-01


Here is the thing, you might be right, because after running this line my next attempt to

sudo certbot renew --dry-run did work.

BUT the renewal conf wasn’t updated, I don’t know what was changed, but something has been changed for sure. Even though the output still contains a line like:

tls-sni-01 challenge for

The dry-run passed, which is not possible because tls-sni-01 challenge would fail when you are behind Cloudflare.

So there is a possible issue here:

  • Somehow --preferred-challenge http-01 did change some config in certbot, but certbot still report the http-01 challenge incorrectly as tls-sni-01

Either way, I decide it’s for the best I just change renewal conf manually and add pref_challs = http-01 for my own sanity.

Thx all.


An authorization can be reused for a certain amount of time – in other words, validations are cached.

(They’re attached to your ACME server account, and the production environment and staging environment have separate databases.)

However, Certbot doesn’t know that. Even if it gets back an older, valid authorization, it goes through the motions of validating it again. Certbot will configure the challenge and its output will be normal, but Let’s Encrypt won’t actually try to validate it again.

I think what happened is:

That created valid authorizations for all applicable hostnames, using HTTP-01.

Then you did:

It probably reused all of the valid authorizations from before. Certbot set up a TLS-SNI-01 challenge, but Let’s Encrypt probably never actually tried to access it.

You can confirm it by carefully examining the voluminous logs in /var/log/letsencrypt/.

sudo certbot renew --preferred-challenge http-01” should update the renewal configuration files for any certificates that were renewed, but “sudo certbot renew --dry-run --preferred-challenge http-01” wouldn’t.


That’s correct; --dry-run is never meant to modify your configuration, only to see whether your existing (or proposed) configuration works properly.

Without --dry-run, Certbot can save the renewal parameters you specified into your renewal configuration file if the certificate issuance succeeds.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.