The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.28.0
Yet that output doesn’t tell me the certificate challenge. I’ve received emails saying that I needed to renew to get rid of the old challenge certificate (TLS-SNI-01) before Feb 13th. How can I check which challenge my certificates are using?
LE logs can show if the last renewal was done using TLS.
They can be misleading if they show HTTP but were covered with a recently successful TLS authentication. (can be cached for 30 days)
So, you may need to test to be “sure”.
You can start with simulating a renewal today with “–dry-run”.
46 days should be plenty of time to figure out what (if anything) will break and get it fixed or implement an acceptable workaround or change in the automation process.
Oh wow! _az, you’re right, it’s there! I ran that command but did not notice as I did not expect the info there.
Now, I see “http-01” for all of my domains. Strange since at least a couple were reported as using “TLS-SNI-01”, but even the two reported as such are reporting “http-01” in the output of renew… Could it be that the server was a bit out of date on what my certificate is using and the thus email I received was a fad?
Certbot's apache, nginx and standalone plugins support both HTTP and TLS-SNI validation. When the ACME server offers both, older versions of Certbot preferred TLS-SNI; since 0.28.0, it prefers HTTP. Plus Let's Encrypt has disabled TLS-SNI entirely on the staging environment, so certbot renew --dry-run will never use it. Certbot probably did use TLS-SNI last time you renewed your certificates. The important thing is that it can and will use HTTP going forward.