February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support


Let’s Encrypt allows subscribers to validate domain control using any one of a few different validation methods. For much of the time Let’s Encrypt has been operating, the options were “DNS-01”, “HTTP-01”, and “TLS-SNI-01”. We recently introduced the “TLS-ALPN-01” method. Today we are announcing that we will end all support for the TLS-SNI-01 validation method on February 13, 2019.

In January of 2018 we disabled the TLS-SNI-01 domain validation method for most subscribers due to a vulnerability enabled by some shared hosting infrastructure. We provided temporary exceptions for renewals and for a small handful of hosting providers in order to smooth the transition to DNS-01 and HTTP-01 validation methods. Most subscribers are now using DNS-01 or HTTP-01.

If you’re still using TLS-SNI-01, please switch to one of the other validation methods as soon as possible. We will also attempt to contact subscribers who are still using TLS-SNI-01, if they provided contact information.

We apologize for any inconvenience but we believe this is the right thing to do for the integrity of the Web PKI.

Upcoming TLS-SNI Deprecation in Certbot
Issue to renew?
What's the status on TLS-SNI-01 challenge
Nginx certbot switch back to tls-sni-01
Strong credibility of a vulnerability with TLS-SNI
"Your Let’s Encrypt client used ACME TLS-SNI-01..." Which one?
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days
Unable to auto renew certificates
Action required: Let's Encrypt certificate renewals
New letsencrypt auto-renewal is trying to us port 80 rather than 443
Errors on renewing using apache plugin. Need to move from TLS-SNI-01?
At my wits end, this simply doesnt work. SITE IS DOWN
How to renew for Dynamic DNS host with no port 80?
Auto-certbot renew failure with message about firewall
Cannot renew my certificate
Letsencrypt-auto not working any more
Certbot renewal failed
Your Let’s Encrypt client used ACME TLS-SNI-01
Attempting to renew cert produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration. The error was: NoInstallationError(). Skipping
Acme client, certbot and very poor/confusing instructions
Problem with renewal of certificates
Certificate renewal fails
Wrong subjectAlternativeName with certbot dns-01 challenge
Automatically remove certificate if renewal fails
Haproxy / tls / renew not working
Letsencrypt-auto not working any more
Unable to find virtual host listening on port 80
Unable to auto renew certificates
"Your Let’s Encrypt client used ACME TLS-SNI-01..." Which one?
"Error getting validation data"
Certbot failed to restart apache
Strange renewal failure
Renew not work anymore
Apache becomes unresponsive when running certbot
Failed Authorization - Received 2 cerficate(s)
DNS/CAA Error During Automatic Renewal

To help people test their clients ahead of the deprecation date, we’re going to disable the TLS-SNI-01 method in staging on 2019-01-22 (this Tuesday). Once that’s live we’ll post an update here, and you’ll be able to run certbot renew --dry-run, which will do a test against staging. If the dry run succeeds, you’ll know that you’re ready for the deprecation date.


Acme client, certbot and very poor/confusing instructions