How to solve this issue("TLS-SNI-01 is deprecated, and will stop working soon.") using "csr"


My domain is:

I ran this command: certbot certonly --csr /etc/letsencrypt/csr/0002_csr-certbot.pem --apache

It produced this output: TLS-SNI-01 is deprecated, and will stop working soon.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28


I have been proceeding with certificate renewal via the command “certbot certonly --csr”.

I did not use “renew - dry - run” because I had to keep my private key, public key.

However, there has recently been an issue(“TLS-SNI-01 is deprecated, and will stop working soon.”.)

I found that I had to use renew --dry - run in step 3 of “How to stop using TLS-SNI-01 with Certbot” to find the solution.

I would like to know if there is a way to solve this issue using “csr” as usual.

Thank you.


In Certbot 0.28.0, that command would already use HTTP-01 validation by default.

Are you sure you’re using Certbot 0.28.0?

How was Certbot installed?

If you’re using the PPA, try “sudo apt upgrade” and see if any of Certbot’s packages are upgraded.

The other possibility is that Certbot is configured with a preference for TLS-SNI. Certbot’s default configuration files are:

  • /etc/letsencrypt/cli.ini
  • $XDG_CONFIG_HOME/letsencrypt/cli.ini or ~/.config/letsencrypt/cli.ini

Check them for any settings doing that.

Just out of curiosity, why do you need to keep using the same keypair?

If you can change the keypair once, you could create a new certificate with the --reuse-key option. It would create a new keypair and issue a new certificate, but reuse the keypair when automatically renewing the certificate in the future.


Thank you for answer.

It seems to be resolved.

I was using version 0.23 and upgraded to 0.28.
I just changed “” file to “version = 0.23.0” and changed it to “version = 0.28.0”.
As a result, the command “certbot certonly --csr” was executed again, so it was changed to “http-01 challenge for”.

Thank you.


This is also useful advice which could allow you to move away from doing these CSR-based renewals, and toward the recommended path of having certbot renew run automatically from cron or systemd jobs.