How to stop using TLS-SNI-01 with Certbot

Let’s Encrypt is removing support for domain validation with TLS-SNI-01. If you’re using Certbot and received an email titled “Action required: Let’s Encrypt certificate renewals” or are getting the error message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

You may need to upgrade your Certbot and its configuration.

If you only received an email, it’s possible you’ve upgraded Certbot in the time since the last TLS-SNI validation mentioned in the email, in which case you’re fine. These instructions tell you how to check.

  1. Confirm your Certbot version is 0.28 or higher:

    certbot --version || /path/to/certbot-auto --version
    

If the version is less than 0.28, you need to upgrade your Certbot. Visit https://certbot.eff.org/ and follow the instructions for your webserver and OS.

  1. Remove any explicit references to tls-sni-01 in your renewal configuration:

    sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
    
  2. Do a full renewal dry run:

    sudo certbot renew --dry-run
    

If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.

If you get a connection refused or connection timeout, you may have a firewall blocking port 80. tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. If that’s not possible, for instance because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.

Note: if you installed Certbot in late 2015 or early 2016, it may be called letsencrypt or letsencrypt-auto (the project was renamed). Follow the instructions at https://certbot.eff.org to install the latest version.

Credit to @_az for the suggestion to write more step-by-step instructions and @jsha for rewriting these instructions with that suggestion in mind.

22 Likes
Action required: Let's Encrypt certificate renewals
TLS-SNI-01 validation is reaching end-of-life
When renew dry-run-- works, verification working?
Cannot upgrade certbot on ubuntu 17
Candidate second email
March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
Fix "The client lacks sufficient authorization" errors on upgrade to v 0.28
Problem with update certbot for apache on ubuntu
Unable to remove obsolete TLS-SNI-01 from server
Dry run failed on trying to update certbot/letsencrypt
How can i upgrade to Certbot 0.27 to latest
Cannot upgrade certbot on ubuntu 17
Version Upgrade
The client lacks sufficient authorization
Impending TLS-SNI-01 disable: How to determine current method?
Update ACME client letsencrypt (not certbot)
Version Upgrade
TLS-SNI-01 website test
Problem migrating away from TLS-SNI-01 with Certbot
Apache blocking port 80?
TLS-SNI-01 to HTTP-01 change doesn't appear to be complete
TLS-SNI-01 Certbot Fix: Doesn't Fit Patterns
Action required: Let's Encrypt certificate renewals
All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/fullchain.pem (failure)
How can i upgrade to Certbot 0.27 to latest
Action required: Let's Encrypt certificate renewals
Is TLS-SNI-01 still usable
Cerbot 0.28 still using SNI
Recup certificat OVH
Certbot command Error ContextualVersionConflict
SOLVED: renew dry-run error when no http:80 port available
Get email again, Action required: Let's Encrypt certificate renewals
Certbot Renew Error - 404
For Certbot Apache users whose renewals started to fail recently
Pour arrêter d'utiliser TLS-SNI-01 avec Certbot
The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/
The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/
Renewal attempts, http01 challenge failed for all domains
Problem updating ACME client
Still receiving "Action required: Let's Encrypt certificate renewals" emails with older version
Certbot always fails
Cert renewable fails with 404
Connection refused with new letsencrypt http-01 challenge
Certificate still not valid
Ubuntu 18.0.4, nginx: Client with the currently selected authenticator does not support any combination…
TLS-SNI-01 well-knowns not being very well known
Dry-run cert renewal works, live cert renewal fails on 400 error
Candidate second email
CertStorageError (Symlink) and renewal.conf broken
Certbot Upgrade Not Working
Certificate renewed but expiry date unchanged
About CertBot upgrade
TLS-SNI-01 website test
Updates on TLS-SNI deprecation email
Certificate is there and valid but certbot fails
Upgrade Amazon Linux 2
Copyediting suggestion
404 on new cert after switching to certbot
TLS-SNI-01 validation is reaching end-of-life
TLS-SNI-01 validation is reaching end-of-life
Another failed authorization issue
Certificates on failover server / listing certificates with methods
How to solve this issue("TLS-SNI-01 is deprecated, and will stop working soon.") using "csr"
Certificates on failover server / listing certificates with methods
IMPORTANT: What you need to know about TLS-SNI validation issues
What if port 80 is inaccessible and stopping TLS-SNI-01 with Certbot
Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Received 2nd email but certbot test passed?
Received 2nd email but certbot test passed?
Certbot dry run errors after fixing TLS-SNI-01 as per documentation
Action required: Let's Encrypt certificate renewals
Issue with renewals after TLS-SNI-01
Not able to stop using TLS-SNI-01
Upgrading certbot under Amazon linux 2
Mis-configured apache.conf blocking `certbow renew`
TLS-SNI-01 Renew - Could not bind to port 80

A post was split to a new topic: Using port 443 for renewal after TLS-SNI is disabled