Is there a way to determine the challenge of a certificate?


#1

I ran this command:

certbot certificates

It produced this output:

  Certificate Name: turnwatcher.com
    Domains: turnwatcher.com
    Expiry Date: 2019-03-13 15:23:31+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/turnwatcher.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/turnwatcher.com/privkey.pem

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version
certbot 0.28.0

Yet that output doesn’t tell me the certificate challenge. I’ve received emails saying that I needed to renew to get rid of the old challenge certificate (TLS-SNI-01) before Feb 13th. How can I check which challenge my certificates are using?


#2

Easiest way is to do a dry-run and observe what challenge it reports using:

certbot renew --dry-run

If it’s not tls-sni-01, you’re probably good.


#3

LE logs can show if the last renewal was done using TLS.
They can be misleading if they show HTTP but were covered with a recently successful TLS authentication. (can be cached for 30 days)
So, you may need to test to be “sure”.
You can start with simulating a renewal today with “–dry-run”.

46 days should be plenty of time to figure out what (if anything) will break and get it fixed or implement an acceptable workaround or change in the automation process.

The most difficult obstacle would be not being able to serve port 80 request for reasons that are out of your control (like: ISP blocking port 80).
But that doesn’t seem to be your case:
wget http://turnwatcher.com/
–2019-01-26 08:47:58-- http://turnwatcher.com/
Resolving turnwatcher.com (turnwatcher.com)… 138.197.205.139
Connecting to turnwatcher.com (turnwatcher.com)|138.197.205.139|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.turnwatcher.com/ [following]


#4

Oh wow! _az, you’re right, it’s there! I ran that command but did not notice as I did not expect the info there.

Now, I see “http-01” for all of my domains. Strange since at least a couple were reported as using “TLS-SNI-01”, but even the two reported as such are reporting “http-01” in the output of renew… Could it be that the server was a bit out of date on what my certificate is using and the thus email I received was a fad?


#5

Yeah, I use DigitalOcean so I’m good with my ports (80 and 443). Well, once in a while I have an invalid setup, but none I couldn’t resolve.


#6

Certbot’s apache, nginx and standalone plugins support both HTTP and TLS-SNI validation. When the ACME server offers both, older versions of Certbot preferred TLS-SNI; since 0.28.0, it prefers HTTP. Plus Let’s Encrypt has disabled TLS-SNI entirely on the staging environment, so certbot renew --dry-run will never use it. Certbot probably did use TLS-SNI last time you renewed your certificates. The important thing is that it can and will use HTTP going forward.