OK.
grep -RE "(pref_challs|challenges)" /etc/letsencrypt/
doesn’t find anything.
certbot renew --dry-run -vvv
doesn’t return any reference to pref_challs
. The first reference to SNI is:
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/xxx HTTP/1.1" 200 1433
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1433
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Jan 2019 22:29:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Jan 2019 22:29:33 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "crawl.project357.org"
},
"status": "valid",
"expires": "2019-02-17T03:36:03Z",
"challenges": [
[...]
{
"type": "tls-sni-01",
"status": "valid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxx/xxx",
"token": "xxx",
"validationRecord": [
{
"hostname": "crawl.project357.org",
"port": "443",
"addressesResolved": [
"13.237.221.101"
],
"addressUsed": "13.237.221.101"
}
]
},
[...]
]
}
Performing the following challenges:
tls-sni-01 challenge for crawl.project357.org
TLS-SNI-01 is deprecated, and will stop working soon.
Is certbot using SNI because the last certificate issued used SNI?