Change validation challenge Certbot (ACME TLS-SNI-01 to HTTP-01)

Linux Feb 5, 2019

In my previous article, I showed you how to install and use certbot on your server.

You should take some action, if you received a mail containing:

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days.

The validation challenge/method ACME TLS-SNI-01 is no longer supported for certificates renewals or creations. Your certbot ctl should use HTTP-01, DNS-01 or TLS-ALPN-01.

A validation method are tasks, which are performed during certificate creation/renrewal. These tasks should only successfully executed by your server. ACME TLS-SNI-01 has known security issues. Because of that, you should change the validation challenge for your next certificates.

How to change the validation challenge for certbot?

First, you have to check the version of your certbot ctl.

certbot --version

If your version is below 0.28.0, you have to update your system:

apt update
apt upgrade

If your version is still below 0.28.0, check https://certbot.eff.org/ and try to install the current stable release.

You can now check, if a renewal process would use HTTP-01. You can do this by executing:

certbot renew --dry-run

This should output something like:

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for readfromfile.com
http-01 challenge for www.readfromfile.com
Waiting for verification…
Cleaning up challenges

If you see a similar log, you are good to go. The next time you use certbot, it will use a current supported validation method. If not, you can add the flag --preferred-challenges.

Please comment below, if you have any questions.

Credits: