How to stop using TLS-SNI-01 with Certbot


#1

Let’s Encrypt is removing support for domain validation with TLS-SNI-01. If you’re using Certbot and received an email titled “Action required: Let’s Encrypt certificate renewals” or are getting the error message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

You may need to upgrade your Certbot and its configuration.

If you only received an email, it’s possible you’ve upgraded Certbot in the time since the last TLS-SNI validation mentioned in the email, in which case you’re fine. These instructions tell you how to check.

  1. Confirm your Certbot version is 0.28 or higher:

    certbot --version || /path/to/certbot-auto --version
    

If the version is less than 0.28, you need to upgrade your Certbot. Visit https://certbot.eff.org/ and follow the instructions for your webserver and OS.

  1. Remove any explicit references to tls-sni-01 in your renewal configuration:

    sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
    
  2. Do a full renewal dry run:

    sudo certbot renew --dry-run
    

If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.

If you get a connection refused or connection timeout, you may have a firewall blocking port 80. tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. If that’s not possible, for instance because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.

Note: if you installed Certbot in late 2015 or early 2016, it may be called letsencrypt or letsencrypt-auto (the project was renamed). Follow the instructions at https://certbot.eff.org to install the latest version.

Credit to @_az for the suggestion to write more step-by-step instructions and @jsha for rewriting these instructions with that suggestion in mind.


Action required: Let's Encrypt certificate renewals
TLS-SNI-01 validation is reaching end-of-life
When renew dry-run-- works, verification working?
Cannot upgrade certbot on ubuntu 17
Candidate second email
March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
Problem with update certbot for apache on ubuntu
Fix "The client lacks sufficient authorization" errors on upgrade to v 0.28
Version Upgrade
Cannot upgrade certbot on ubuntu 17
How can i upgrade to Certbot 0.27 to latest
Dry run failed on trying to update certbot/letsencrypt
The client lacks sufficient authorization
Unable to remove obsolete TLS-SNI-01 from server
Version Upgrade
TLS-SNI-01 website test
Action required: Let's Encrypt certificate renewals
Update ACME client letsencrypt (not certbot)
Impending TLS-SNI-01 disable: How to determine current method?
How can i upgrade to Certbot 0.27 to latest
TLS-SNI-01 Certbot Fix: Doesn't Fit Patterns
Certbot Upgrade Not Working
CertStorageError (Symlink) and renewal.conf broken
Candidate second email
Certificate renewed but expiry date unchanged
Received 2nd email but certbot test passed?
Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
What if port 80 is inaccessible and stopping TLS-SNI-01 with Certbot
IMPORTANT: What you need to know about TLS-SNI validation issues
Is TLS-SNI-01 still usable
Certificates on failover server / listing certificates with methods
Problem migrating away from TLS-SNI-01 with Certbot
How to solve this issue("TLS-SNI-01 is deprecated, and will stop working soon.") using "csr"
Certificates on failover server / listing certificates with methods
Another failed authorization issue
Apache blocking port 80?
TLS-SNI-01 validation is reaching end-of-life
TLS-SNI-01 validation is reaching end-of-life
All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/fullchain.pem (failure)
404 on new cert after switching to certbot
Copyediting suggestion
TLS-SNI-01 to HTTP-01 change doesn't appear to be complete
Upgrade Amazon Linux 2
Certificate is there and valid but certbot fails
Updates on TLS-SNI deprecation email
TLS-SNI-01 website test
About CertBot upgrade
Received 2nd email but certbot test passed?
#2

#3

A post was split to a new topic: Using port 443 for renewal after TLS-SNI is disabled


#4

Update for TLS-SNI-01 - now certbot fails on 'Cryptography_HAS_DTLS'
Incoherence between installed and active versions
Passing arguments to httpd