Nginx certbot switch back to tls-sni-01


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
prometheus.knstats.com

I ran this command:
sudo certbot certonly --rsa-key-size 2048 --nginx --non-interactive -d prometheus.knstats.com --agree-tos --webroot-path /usr/share/nginx/html --email thang@kyber.network

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for prometheus.knstats.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. prometheus.knstats.com (tls-sni-01): urn:ietf:params:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: prometheus.knstats.com
    Type: tls
    Detail: remote error: tls: handshake failure

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Certbot client.

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu server 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I used certbot for several months now. I am aware that certbot-nginx can only use http-01 to obtain cert, and this is the default challenge. I use the above command to obtain the cert several months ago. An now it closed to expire, but when I renew this I got the error. The log shows that it is using tls-sni-01 challenge despite the fact that I obtained the cert using http-01. I think that several months ago, http-01 is the default challenge type of nginx, and now it is tls-sni-01. It seems to be a regression to me, my certbot version is 0.26.1.

Also I think we need a Bug-report topic categories because my topic is a potential bug report.
Thanks in advanced!


#2

You can force it to switch to http-01 by adding the --preferred-challenges http-01 option to the certbot command. Once it’s successfully obtained a certificate, that preference will be remembered and used again automatically next time that certificate is renewed.

That will soon be true, but it isn’t yet. Certbot’s nginx plugin still supports the tls-sni-01 challenge as well, for now, as does Let’s Encrypt under certain circumstances. In particular, renewals from the same account are allowed to use tls-sni-01, and Certbot still seems to prefer that challenge in that case (if the user hasn’t specified a preference).

Of course everyone should switch to http-01 or another challenge as soon as possible. Presumably when Let’s Encrypt disables the challenge in February, Certbot’s nginx plugin will switch automatically. However that doesn’t help you right now, since your tls-sni-01 is not working for some other reason. So you can switch manually instead.

You can report Certbot bugs at https://github.com/certbot/certbot/issues


#3

Thanks @jmorahan that solve all of my questions. I thought that the renewing method will be the same as the obtaining method. I’ll always add the --preferred-challenges next time (might be until tls-alpn become the default).