How does one determine, for absolute certain, which validation method they are using? Forgive how incapable I must sound in even asking this question. Perhaps others are in my boat. I have multiple reasons to believe I am using TLS-SNI-01, and multiple reasons to believe I am not.
I am using the old certbot version: letsencrypt 0.4.1 CLI, but with the webroot plugin, and my CLI commands always begin like this:
letsencrypt certonly --webroot
This causes our validation to happen through the special /.well-known/acme-challenge HTTP directory hosted inside our apache server… This is HTTP validation I believe? Perhaps SNI validation actually also happens over HTTP, and this is it?
Reasons why I think I might be using TLS-SNI-01, and thus require an upgrade:
- I received the initial email with subject
Action required: Let's Encrypt certificate renewals -
This post Seems to indicate that any
certbotCLI older than 0.28 requires an upgrade
Reasons why I think I’m NOT using TLS-SNI-01, and thus don’t require an upgrade, and no longer need to jeopardize the timeline of the project I’m supposed to be working on:
- I received the second email with the subject
Action required: Let's Encrypt certificate renewalswhich shows the domains, and it only contains a single hostname which my system never generated. None of the 15,000+ hostnames we created certs for are in this second email. I believe a colleague might have used our LE account at some point to make a one-time cert over TLS-SNI-01, which isn’t something we need to support or worry about - Our system is still able to validate and receive certs over LE Staging environment, which I understand TLS-SNI-01 is disabled in staging. Either we’re white listed due to our large volume usage, which I have no way of determining, or we’re not actually using TLS-SNI-01.
Thanks for the help guys. For us, this is quite a big deal, and I’ve always been highly appreciate not only of your existence in general, but for your friendly support over the last 2 years 