February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support


#1

Let’s Encrypt allows subscribers to validate domain control using any one of a few different validation methods. For much of the time Let’s Encrypt has been operating, the options were “DNS-01”, “HTTP-01”, and “TLS-SNI-01”. We recently introduced the “TLS-ALPN-01” method. Today we are announcing that we will end all support for the TLS-SNI-01 validation method on February 13, 2019.

In January of 2018 we disabled the TLS-SNI-01 domain validation method for most subscribers due to a vulnerability enabled by some shared hosting infrastructure. We provided temporary exceptions for renewals and for a small handful of hosting providers in order to smooth the transition to DNS-01 and HTTP-01 validation methods. Most subscribers are now using DNS-01 or HTTP-01.

If you’re still using TLS-SNI-01, please switch to one of the other validation methods as soon as possible. We will also attempt to contact subscribers who are still using TLS-SNI-01, if they provided contact information.

We apologize for any inconvenience but we believe this is the right thing to do for the integrity of the Web PKI.


Strong credibility of a vulnerability with TLS-SNI
Upcoming TLS-SNI Deprecation in Certbot
Nginx certbot switch back to tls-sni-01
Failed Authorization - Received 2 cerficate(s)
What's the status on TLS-SNI-01 challenge
DNS/CAA Error During Automatic Renewal
Issue to renew?
Apache becomes unresponsive when running certbot
Certbot renewal failed