Here's how to resolve the "Action required" / TLS-SNI-01 issue for Apache plugin users

I’m using the latest Certbot with the Apache plugin, and judging from all the activity on the forum right now I think there are a lot of others in the same situation.

Here is what resolved the matter for me:

  • In your /etc/letsencrypt/cli.ini add preferred-challenges = http.
  • Test first with the command certbot renew --force-renewal --dry-run.
  • If no errors, run certbot renew --force-renewal.

This is tested and working on Ubuntu Server 16.04 and 18.04, which is a pretty typical use-case. I have the cronjob @daily /usr/bin/certbot renew --quiet (I think this is also pretty typical) and must have missed the earlier warnings about TLS-SNI-01 deprecation.

Hope this helps and thanks to the forum mods, who are probably very busy right now with all the new posts! If you test this method with different plugins and it works, please post a reply so others can find what works easily.


Thanks so much for this. Helped me though everything i had problems with. Thanks so much.


1 Like

This addressed my concerns even tho all my renewals showed as using HTTP-01 I was worried something would go wrong down the line. Forced a renew and all appears to be ok.

Thank you

1 Like

I try to find this file, but not exists.

I Running on AWS EC2 amazon-linux-ami - 2018.03

I try to find this file, but not exists.

No problem, just create it instead or add --preferred-challenges http to your command (or script) to do the same thing. Having this file is convenient because you can put all the options in it and just run certbot renew without having to remember them.

As always, test first with --dry-run to check for errors.

Thank you so much!

I did run in this way:
./certbot-auto renew --preferred-challenges http --no-self-upgrade

1 Like

Worked like a charm. TY

1 Like

If you get the message below:

None of the preferred challenges are supported by the selected plugin.

  1. Update the certbot with the command:
    ./certbot-auto --version

  2. Run the commando to renew the certs:
    ./certbot-auto renew --preferred-challenges http --no-self-upgrade

Maybe this tip can help someone :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.