I’ve been working on the wording for our second round of TLS-SNI deprecation emails, plus some of the underlying code. My current thinking is that it’s better / easier to include the affected IP addresses in the email rather than the domains. There are a lot of accounts that have a large number of domains, but typically they only use a single IP address.
The plan for multiple accounts that have the same email address is to consolidate into a single email, and include up to ten IP addresses.
Feedback on both the message content and the overall plan are welcome! Thanks to everyone for the hard work you’ve been doing answering questions.
Action may be required to prevent your Let’s Encrypt certificate renewals from breaking.
If you already received a similar e-mail, this one contains updated information.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days. Below is a list of names and IP addresses validated (max of one per account):
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
Our staging environment already has TLS-SNI-01 disabled, so if you’d like to test whether your system will work after February 13, you can run against staging: https://letsencrypt.org/docs/staging-environment/.
If you’re a Certbot user, you can find more information here: How to stop using TLS-SNI-01 with Certbot
Our forum has many threads on this topic. Please search to see if your question has been answered, then open a new thread if it has not: https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our API announcement:
Let’s Encrypt Staff