Hi @tgutwin,
Unfortunately, this indicates a problem that you'll still have to resolve.
Let's Encrypt is in the process (near the end) of making a change to the allowed validation methods due to a security problem identified by a researcher more than a year ago. That means that the behavior of the CA has changed. When people find recent renewal problems that didn't happen before, it's usually related to the fact that their old configurations genuinely don't work with the new CA behavior.
There is lots of information about this issue on the forum; if you want to know some of the history, please see
The change in supported validation methods does mean that some renewals that worked before won't work in the future and will require updated Let's Encrypt client applications, changes in firewall rules, or other changes. We've tried to make this as automatic and convenient as possible, but particularly because the TCP port that most people use for validation will switch from 443 to 80, it can't be an automatic switchover for everyone!
The --dry-run
is a more realistic simulation of the behavior that Let's Encrypt will exhibit for everyone next month. If it succeeds, your configuration is OK with regard to the upcoming change, but if it fails, your configuration is not OK and subsequent renewals (with or without --dry-run
) are likely to break.
The more specific practical information aimed at Certbot users is here:
If this doesn't resolve your problem, you still have a problem that needs to be fixed in order to continue renewing certificates after TLS-SNI-01 support is completely disabled. You can find other forum threads or ask for help. What I particularly want to emphasize, though, is that not using --dry-run
is not a fix or a solution, because --dry-run
in this case simulates the upcoming behavior that will exist for everyone soon. (--dry-run
itself isn't a way to renew certificates; as the name is meant to suggest, it's just a way to check whether renewing certificates would work, using the Let's Encrypt staging (test) server.)