I have several domains among two servers that are using certs from letsencrypt via Certbot. For the last year or so they’ve been set it and forget it; which is a problem because I don’t do this type of stuff but every few years and never remember how; but apparently I now need to make changes and I have no idea which ones are using TLS-SNI-01 or what I need to actually to to certbot to rectify this.
I didn’t ask your opinion on the age of my operating systems.
If you’re saying they’re too old…let me know. Otherwise…that’s not related to my issue and therefore information that I already know and is not wanted. It does nothing to slove my problem.
Ubuntu 17.10 is no longer supported, and as such, new versions of Certbot are no longer packaged for it. So you won’t be able to take the usually recommended path of upgrading Certbot from the PPA on that system. Since you’re also probably missing important security updates from Canonical, the only responsible thing for us to recommend is that you upgrade to a supported version of Ubuntu However, if you need to renew a certificate before you can get around to that, you can still use the http-01 challenge with older versions of Certbot - it just won’t do so by default.
Ubuntu 16.04 is still supported, of course, and Cerbot 0.28.0 is available in the PPA. I’m not sure what @mnordhoff means about your kernel (I’m not disputing it, I just don’t understand it).
You can try this on your servers to see if you need to do anything:
sudo certbot renew --dry-run
If that works without any errors, then your certificate renewals should continue to work after tls-sni-01 is switched off (although since you could still be using it until that time, you might receive some more warning emails about it).
If it doesn’t work, let us know what error you get.