While trying to renew an expired certificate, the acme challenge fails since its trying to access http://xxx.xxx.xxx instead of https://xxx.xxx.xxx
Actual output:
Attempting to renew cert from /etc/letsencrypt/renewal/xxx.xxx.xxx.conf produced an unexpected error: Failed
authorization procedure. xxx.xxx.xxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Invalid response from http://xxx.xxx.xxx/.well-known/acme-
challenge/c_IvQsTpfBXTWqtmxz250UGK0kbkRsVEIVCYgpBsviY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
Is there a way I can specify this to use https instead of http for the challenge?
Using debian 8 jessie with nginx
--------EDIT------------------
I tried generating a new certificate using “–preferred-challenges tls-sni” but…:
None of the preferred challenges are supported by the selected plugin
“None of the preferred challenges are supported by the selected plugin. Skipping” with certbot renew --preferred-challenges tls-sni
I guess this is because I used webroot to create the cert in the first place? How can I change it now?
As the message tells you, the nginx plugin doesn't support the TLS-SNI challenge. How do you have HTTPS implemented on your server? Do you have a HTTP -> HTTPS redirect implemented? Because Let's Encrypt will follow that.
According to the documentation, the Nginx plugin supports only TLS-SNI-01.
At a guess, certbot renew won't change plugins if you pass --preferred-challenges, so it's still trying to use the webroot plugin, which certainly doesn't support TLS-SNI-01.
@JMonteiro The simple way to change plugins is to use the appropriate Certbot command to issue a new certificate using the desired plugin and list of domains. The complicated way is to edit the /etc/letsencrypt/renewal/ config file.