diff --git a/Dockerfile b/Dockerfile
index e3d581f..957f28c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM certbot/certbot:v0.18.2
+FROM certbot/certbot:v0.31.0
 MAINTAINER Eric Barault (@ebarault)
 
 VOLUME /certs
diff --git a/README.md b/README.md
index ccafb76..131a4b2 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ The following volumes of interest can be mounted on the docker host or as docker
 
 #### Environment variables:
 - **WEBROOT** : (optional) path to the host's web server root. If provided, letsencrypt will use the given existing web server to request and validate the certificates. If not provided, letsencrypt will launch it's own web server for this purpose
+- **PREFERRED_CHALLENGES** : (optional) A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (eg. "dns" or "tls-alpn-01,http,dns") 
 - **LOGFILE** : (optional) path of a file where to write the logs from the certificate request/renewal script. When not provided both stdout/stderr are directed to console which is convenient when using a docker log driver
 - **DEBUG** : (optional) whether to run letsencrypt in debug mode, refer to certbot [documentation] (https://certbot.eff.org/docs/using.html#certbot-command-line-options)
 - **STAGING** : (optional) whether to run letsencrypt in staging mode, refer to certbot [documentation] (https://certbot.eff.org/docs/using.html#certbot-command-line-options)
diff --git a/scripts/run_certbot.sh b/scripts/run_certbot.sh
index 0ba9084..59845a8 100755
--- a/scripts/run_certbot.sh
+++ b/scripts/run_certbot.sh
@@ -117,14 +117,15 @@ CERTBOT_ARGS=""
 # see https://certbot.eff.org/docs/using.html#webroot
 #
 # `standlone` plugin runs a built-in “standalone” web server to obtain the certificate
-# --preferred-challenges tls-sni` option is set to use port 443
-# this mode is triggered when $WEBROOT is not set
+# The current implementation supports the http-01, dns-01 and tls-alpn-01 challenges and
+# defaults to http-01 since tls-sni-01 has been deprecated
+# This mode is triggered when $WEBROOT is not set
 # see https://certbot.eff.org/docs/using.html#standalone
 #
 if [ $WEBROOT ]; then
   CERTBOT_ARGS=" --webroot -w $WEBROOT"
 else
-  CERTBOT_ARGS=" --standalone --preferred-challenges tls-sni"
+  CERTBOT_ARGS=" --standalone --preferred-challenges ${PREFERRED_CHALLENGES:-http-01}"
 fi
 
 # activate debug mode