Got email, Action required: Let's Encrypt certificate renewals

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version): Apache2

The operating system my web server runs on is (include version): ubuntu 14.0

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.22.2

i checked this file


renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = apache
account = #################### (actual id not given for security)
installer = apache

and pref_challs = http-01 is not available in .

please need your help. Awaiting your reply

Looks good.

You should upgrade using these instructions:

That should be the only thing you need to do.


Is it mandatory to upgrade certbot. if, after upgrading it, will it automatically config https-01?

According to your dry run, Certbot is already not using TLS-SNI-01. So if you did nothing right now, everything would keep working.

If you don’t want to upgrade, nobody is forcing you, but it’s a good idea.

1 Like

Thank you for your immediate response. appreciated.
but yesterday again a received an email i.e
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account): ( on 2018-12-26.

no idea why even i got this email, worrying…

1 Like

I know the email is a bit spooky, but there is a plausible explanation for having received it and not having to take action:

If you want to be especially cautious - upgrade Certbot.


Many thanks dear @_az :hugs:

According to the email: A client form that IP used TLS-SNI-01.
According to the --dry-run: Your client is able to use HTTP-01.
I believe both are true; and can be true when:
The client prefers to use TLS-SNI-01; But can also use HTTP-01 (as fallback).
[like its’ already set to use: --preferred_challenges https,http,dns]


Appreciated @rg305, Many Thanks.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.