I just got an email letting me know that TLS-SNI-01 domain validation is going away.
How can i update my ACME client?
Thanks a lot
Giacomo Farella
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: moon.miprenoto.eu
I ran this command:
It produced this output:
My web server is (include version): Apache 2.4.7
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Can you answer the other questions in your post? What ACME client are you using? What version is it now? How did you install it? What OS are you using?
0.28 is the first version that automatically chooses HTTP over TLS-SNI, yes. If you can upgrade to it, it is highly likely to be the only thing you need to do.
The only case where it may be insufficient is if you have some pre-configured preferred challenges already. This can be checked with:
I received this email notification as well and wanted to share my findings.
I am on Ubuntu 16.04 using Apache web server. I first tried upgrading certbot from 0.21.0 to 0.28.0 (which, notably was "kept back" with a general apt-get upgrade, so I had to specify certbot to update only it and its dependencies) and the --dry-run output still showed warnings in red text about the TLS-SNI deprecation.
I realized the Apache plugin had to be updated as well to 0.28.0 and now the --dry-run completes without warnings and shows the http-01 challenge method is being used. Hope this helps.
Some plugins offer an authenticator , meaning that they can satisfy challenges:
Apache plugin: (TLS-SNI-01) Tries to edit your Apache configuration files to temporarily serve a Certbot-generated certificate for a specified name. Use the Apache plugin when you’re running Certbot on a web server with Apache listening on port 443.