Impending TLS-SNI-01 disable: How to determine current method?


How does one determine, for absolute certain, which validation method they are using? Forgive how incapable I must sound in even asking this question. Perhaps others are in my boat. I have multiple reasons to believe I am using TLS-SNI-01, and multiple reasons to believe I am not.

I am using the old certbot version: letsencrypt 0.4.1 CLI, but with the webroot plugin, and my CLI commands always begin like this:

letsencrypt certonly --webroot

This causes our validation to happen through the special /.well-known/acme-challenge HTTP directory hosted inside our apache server… This is HTTP validation I believe? Perhaps SNI validation actually also happens over HTTP, and this is it?

Reasons why I think I might be using TLS-SNI-01, and thus require an upgrade:

  • I received the initial email with subject Action required: Let's Encrypt certificate renewals
  • This post Seems to indicate that any certbot CLI older than 0.28 requires an upgrade

Reasons why I think I’m NOT using TLS-SNI-01, and thus don’t require an upgrade, and no longer need to jeopardize the timeline of the project I’m supposed to be working on:

  • I received the second email with the subject Action required: Let's Encrypt certificate renewals which shows the domains, and it only contains a single hostname which my system never generated. None of the 15,000+ hostnames we created certs for are in this second email. I believe a colleague might have used our LE account at some point to make a one-time cert over TLS-SNI-01, which isn’t something we need to support or worry about
  • Our system is still able to validate and receive certs over LE Staging environment, which I understand TLS-SNI-01 is disabled in staging. Either we’re white listed due to our large volume usage, which I have no way of determining, or we’re not actually using TLS-SNI-01.

Thanks for the help guys. For us, this is quite a big deal, and I’ve always been highly appreciate not only of your existence in general, but for your friendly support over the last 2 years :slight_smile:


The webroot plugin always uses HTTP-01.

Certbot’s apache, nginx and standalone plugins support TLS-SNI-01, but webroot never has.



What a relief!!

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.