Is there a way to determine the challenge of a certificate?


I ran this command:

certbot certificates

It produced this output:

  Certificate Name:
    Expiry Date: 2019-03-13 15:23:31+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version
certbot 0.28.0

Yet that output doesn’t tell me the certificate challenge. I’ve received emails saying that I needed to renew to get rid of the old challenge certificate (TLS-SNI-01) before Feb 13th. How can I check which challenge my certificates are using?


Easiest way is to do a dry-run and observe what challenge it reports using:

certbot renew --dry-run

If it’s not tls-sni-01, you’re probably good.


LE logs can show if the last renewal was done using TLS.
They can be misleading if they show HTTP but were covered with a recently successful TLS authentication. (can be cached for 30 days)
So, you may need to test to be “sure”.
You can start with simulating a renewal today with “–dry-run”.

46 days should be plenty of time to figure out what (if anything) will break and get it fixed or implement an acceptable workaround or change in the automation process.

The most difficult obstacle would be not being able to serve port 80 request for reasons that are out of your control (like: ISP blocking port 80).
But that doesn’t seem to be your case:
–2019-01-26 08:47:58--
Resolving (…
Connecting to (||:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: [following]


Oh wow! _az, you’re right, it’s there! I ran that command but did not notice as I did not expect the info there.

Now, I see “http-01” for all of my domains. Strange since at least a couple were reported as using “TLS-SNI-01”, but even the two reported as such are reporting “http-01” in the output of renew… Could it be that the server was a bit out of date on what my certificate is using and the thus email I received was a fad?


Yeah, I use DigitalOcean so I’m good with my ports (80 and 443). Well, once in a while I have an invalid setup, but none I couldn’t resolve.


Certbot’s apache, nginx and standalone plugins support both HTTP and TLS-SNI validation. When the ACME server offers both, older versions of Certbot preferred TLS-SNI; since 0.28.0, it prefers HTTP. Plus Let’s Encrypt has disabled TLS-SNI entirely on the staging environment, so certbot renew --dry-run will never use it. Certbot probably did use TLS-SNI last time you renewed your certificates. The important thing is that it can and will use HTTP going forward.

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.