How to stop using TLS-SNI-01 with Certbot

Let's Encrypt is removing support for domain validation with TLS-SNI-01. If you're using Certbot and received an email titled "Action required: Let’s Encrypt certificate renewals" or are getting the error message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

You may need to upgrade your Certbot and its configuration.

If you only received an email, it's possible you've upgraded Certbot in the time since the last TLS-SNI validation mentioned in the email, in which case you're fine. These instructions tell you how to check.

  1. Confirm your Certbot version is 0.28 or higher:

    certbot --version || /path/to/certbot-auto --version
    

If the version is less than 0.28, you need to upgrade your Certbot. Visit https://certbot.eff.org/ and follow the instructions for your webserver and OS.

  1. Remove any explicit references to tls-sni-01 in your renewal configuration:

    sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
    
  2. Do a full renewal dry run:

    sudo certbot renew --dry-run
    

If the dry run succeeds, and your Certbot version is 0.28 or higher, you're good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.

If you get a connection refused or connection timeout, you may have a firewall blocking port 80. tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. If that's not possible, for instance because your ISP blocks port 80, you'll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.

Note: if you installed Certbot in late 2015 or early 2016, it may be called letsencrypt or letsencrypt-auto (the project was renamed). Follow the instructions at https://certbot.eff.org to install the latest version.

Credit to @_az for the suggestion to write more step-by-step instructions and @jsha for rewriting these instructions with that suggestion in mind.

22 Likes

A post was split to a new topic: Using port 443 for renewal after TLS-SNI is disabled