Renew certificate with a different address

While trying to renew an expired certificate, the acme challenge fails since its trying to access http://xxx.xxx.xxx instead of https://xxx.xxx.xxx

Actual output:

Attempting to renew cert from /etc/letsencrypt/renewal/xxx.xxx.xxx.conf produced an unexpected error: Failed 
authorization procedure. xxx.xxx.xxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient 
authorization :: Invalid response from http://xxx.xxx.xxx/.well-known/acme-
challenge/c_IvQsTpfBXTWqtmxz250UGK0kbkRsVEIVCYgpBsviY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 
2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.

Is there a way I can specify this to use https instead of http for the challenge?

Using debian 8 jessie with nginx

--------EDIT------------------
I tried generating a new certificate using “–preferred-challenges tls-sni” but…:

None of the preferred challenges are supported by the selected plugin

1 Like

Couldn’t find anything on the docs that specify a way to do the challenge with https…

search in the documentation page for “Challenge types (and port)”

“None of the preferred challenges are supported by the selected plugin. Skipping” with certbot renew --preferred-challenges tls-sni
I guess this is because I used webroot to create the cert in the first place? How can I change it now?

As the message tells you, the nginx plugin doesn't support the TLS-SNI challenge. How do you have HTTPS implemented on your server? Do you have a HTTP -> HTTPS redirect implemented? Because Let's Encrypt will follow that.

According to the documentation, the Nginx plugin supports only TLS-SNI-01.

At a guess, certbot renew won't change plugins if you pass --preferred-challenges, so it's still trying to use the webroot plugin, which certainly doesn't support TLS-SNI-01.

@JMonteiro The simple way to change plugins is to use the appropriate Certbot command to issue a new certificate using the desired plugin and list of domains. The complicated way is to edit the /etc/letsencrypt/renewal/ config file.

2 Likes

I just wanted to confirm that @mnordhoff’s interpretation of the situation and Certbot’s behavior is correct here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.