Tls-sni-01 challenge still in use by apache authenticator

Help
1

this is what I saw in the terminal window:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

tls-sni-01 challenge for domain.name
tls-sni-01 challenge for www.domain.name

this is what certbot 0.21.0 does

it works !!! :slight_smile:
but it shouldn’t :slight_smile: it shouldn’t work like this…
the authenticator should be the “webroot” plugin by now, I suppose…
or apache, but using the HTTP-01method…

here is a log: https://creach.eu/LE-log/le.txt
and just another one: https://creach.eu/LE-log/log-2.txt

2

@erica @bmw @pde, any thoughts?

3

I think this is a combination of the renewal whitelist and Certbot performs challenge even when reusing valid authz.

2 Likes
4

as to renewal:
I was getting a cert for a domain which was, before, part of another cert… (so, from the domain’s perspective we could say: “renewal”, getting a new one to replace the old) but it was not a renewal of an existing cert…

5

Right. If you read the post at the “renewal whitelist” link above, it describes how this done on the basis of domain names and not certificates. I copied the relevant section here for convenience:

TLS-SNI can be used for revalidating and reissuing certificates for domain names that have previously-issued Let’s Encrypt certificates. This is limited to the account that issued the most recent certificate for any given domain name. It applies whether or not the certificate used TLS-SNI for validation. It applies only to fully-qualified domain names, not subdomains. The grouping of domains into certificates doesn’t matter for this mechanism.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.