Tls-sni-01 challenge still in use by apache authenticator

this is what I saw in the terminal window:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

tls-sni-01 challenge for
tls-sni-01 challenge for

this is what certbot 0.21.0 does

it works !!! :slight_smile:
but it shouldn’t :slight_smile: it shouldn’t work like this…
the authenticator should be the “webroot” plugin by now, I suppose…
or apache, but using the HTTP-01method…

here is a log:
and just another one:

@erica @bmw @pde, any thoughts?

I think this is a combination of the renewal whitelist and Certbot performs challenge even when reusing valid authz.


as to renewal:
I was getting a cert for a domain which was, before, part of another cert… (so, from the domain’s perspective we could say: “renewal”, getting a new one to replace the old) but it was not a renewal of an existing cert…

Right. If you read the post at the “renewal whitelist” link above, it describes how this done on the basis of domain names and not certificates. I copied the relevant section here for convenience:

TLS-SNI can be used for revalidating and reissuing certificates for domain names that have previously-issued Let’s Encrypt certificates. This is limited to the account that issued the most recent certificate for any given domain name. It applies whether or not the certificate used TLS-SNI for validation. It applies only to fully-qualified domain names, not subdomains. The grouping of domains into certificates doesn’t matter for this mechanism.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.