How to resolve TLS-SNI deprecation


Can you please give me detailed instructions on how to resolve this?

How to fix TLS-SNI deprecation
Updates on TLS-SNI deprecation email


We’ll need more information on what client you’re using and what operating system. Please also see my latest post - we’re working on some updates.



Thank You, I’m not an expert here my operating system is Ubuntu 16.05.5 LTS. Will a failure to renew cause my website to be unreachable? I’m using it as a moodle server and am afraid my online course will go offline right in the middle of the course.


You should check the expiration date of your certs (especially such a critical one).
If any are due for renewals soon, you should “test” the renewal (for example: with --dry-run) to understand what will happen when that day comes.
Providing you now the most amount of time to deal with any renewal problem(s) that may be coming.


Are you using certbot or certbot-auto to renew? How did you initially set up your certificate?

A failure to renew will indeed cause your site to be unreachable, but renewal only needs to happen every 60 days. You can look up your certificate name at and check the “NotAfter” column to see when it expires.


Hi: I’m sorry, I installed let’s encrypt 2 or 3 years ago on my site and have never renewed a certificate manually so I guess I’m running certbot-auto? My not after is 4/10/2019


Please show:
sudo crontab -l
systemctl list-timers

[one of those two should show how the renewals are being done]


No problem, and no need to apologize. You’re doing great. :slight_smile:

Excellent, so you have at least that long to get things sorted.

You can see what cronjobs you have running by using:

crontab -l

sudo crontab -l

ls -l /lib/systemd/system/certbot.timer

If you have certbot-auto on any of those, you should be fine. certbot-auto automatically upgrades itself, and the latest version supports the http-01 challenge.

If instead you have certbot, you may need to manually upgrade. Probably the most straightforward thing to do is go to and follow the instructions there for your specific web server and OS.


Thanks for all your help, I think I got it resolved this way. I just updated everything on my ubuntu box by running

sudo apt-get update
sudo apt-get full-upgrade

Then I tested it with,

sudo certbot renew --dry-run

No errors came up and I saw that HTTP-01 was tested so I think I’m good to go.
The only issue is when I test the site with Let’s Debug it worked this morning but then didn’t work later this afternoon when I retested so that’s what made me panic. I think the Let’s Debug and Let’s Encrypt sited are just getting swamped this afternoon. Does this sound reasonable.



Can you elaborate on what type of error you saw? Most likely if this was due to too much traffic at Let’s Debug, you’d see a 500 error.


Let’s Debug worked for me this morning testing HTTP-01 and all was green. Then this afternoon it didn’t work and I kept retesting and it worked one other time again. After that I continued retesting and it gave me errors like

An internal error occurred while checking the domain
Failed to query certwatch database to check rate limits: dial tcp: i/o timeout



Ah, that does sound like a potential load problem in Let’s Debug. Thanks for the additional detail!


Thanks for your help. I’ll let you go to help someone else.


At Let’s Debug, I kill any queries to’s database that take longer than 10 seconds (which is what we do to check rate limits).

This is in order to prevent overloading

I should probably re-categorize that warning as something less scary, sorry.


A post was split to a new topic: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA



I’ve just followed the instructions on this thread, as I’m in the same boat as dbnawrocki.

After updating my Ubuntu box I ran "sudo certbot renew --dry-run and got a “Congratulations, all renewals succeeded”. It looked to be using http-01 challenge?

Does this mean the situation is now resolved?




This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.