Change validation challenge Certbot (ACME TLS-SNI-01 to HTTP-01)

Linux Feb 5, 2019

In my previous article, I showed you how to install and use certbot on your server.

You should take some action, if you received a mail containing:

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days.

The validation challenge/method ACME TLS-SNI-01 is no longer supported  for certificates renewals or creations. Your certbot ctl should use HTTP-01, DNS-01 or TLS-ALPN-01.

A validation method are tasks, which are performed during certificate creation/renrewal. These tasks should only successfully executed by your  server. ACME TLS-SNI-01 has known security issues. Because of that, you should change the validation challenge for your next certificates.

How to change the validation challenge for certbot?

First, you have to check the version of your certbot ctl.

certbot --version

If your version is below 0.28.0, you have to update your system:

apt update
apt upgrade

If your version is still below 0.28.0, check and try to install the current stable release.

You can now check, if a renewal process would use HTTP-01. You can do this by executing:

certbot renew --dry-run

This should output something like:

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges

If you see a similar log, you are good to go. The next time you use certbot, it will use a current supported validation method. If not, you can add the flag --preferred-challenges.

Please comment below, if you have any questions.




Howdy! I'm Stefan and I am the main author of this blog. If you want know more, you can check out the 'About me' page.

Impressum | Data Privacy Policy | Disclaimer
Copyright: The content is copyrighted and may not be reproduced on other websites without permission.