Change validation challenge Certbot (ACME TLS-SNI-01 to HTTP-01)
In my previous article, I showed you how to install and use certbot on your server.
You should take some action, if you received a mail containing:
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
The validation challenge/method ACME TLS-SNI-01 is no longer supported for certificates renewals or creations. Your certbot ctl should use HTTP-01, DNS-01 or TLS-ALPN-01.
A validation method are tasks, which are performed during certificate creation/renrewal. These tasks should only successfully executed by your server. ACME TLS-SNI-01 has known security issues. Because of that, you should change the validation challenge for your next certificates.
How to change the validation challenge for certbot?
First, you have to check the version of your certbot ctl.
If your version is below 0.28.0, you have to update your system:
apt update apt upgrade
If your version is still below 0.28.0, check https://certbot.eff.org/ and try to install the current stable release.
You can now check, if a renewal process would use HTTP-01. You can do this by executing:
certbot renew --dry-run
This should output something like:
Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for readfromfile.com http-01 challenge for www.readfromfile.com Waiting for verification… Cleaning up challenges
If you see a similar log, you are good to go. The next time you use certbot, it will use a current supported validation method. If not, you can add the flag --preferred-challenges.
Please comment below, if you have any questions.
- Post photo by Taylor Vick on Unsplash