TLS-SNI-01 end-of-life


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.03 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Please forgive my ignorance. I set up the certificates originally, likely through some kind of tutorial, and they’ve been on autopilot since. I’d really appreciate any guidance as to how to update whatever it is I need to update to fix the EOL issue. I have root CLI access. Thanks much in advance!!!


Hi @jmuessig

your certificate is ~~ new
	09.03.2019, - 2 entries

So it’s not a critical problem.

Check your config file ( /etc/letsencrypt/renewal) if there is tls-sni used.

Or try to renew your certificate with

--preferred-challenges http

Thanks much for the assistance, JuergenAuer!

This is what is in my config file, I don’t see any mention of TLS?

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = apache
installer = apache
account =


Your certbot looks old. Perhaps you should update.

I am missing an information about the validation method. Perhaps your config is so old, this information is missing.


I updated certbot to 0.28.0 with “sudo apt-get dist-upgrade”. Is there a way to regenerate the configuration files?


I ran “certbot renew --dry-run” and it produced this output. Since it says “http-01 challenge”, does this mean I do not have the TLS-SNI-01 domain validation?

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Help, please? I think I have the TNS-SNI-01 validation issue solved (please see post directly above), but I would really appreciate a brief confirmation of this by anyone with knowledge, please. Thanks much!


Create a new certificate, then you know it.


To clarify further:
Create a brand new certificate (not just a renewal) and then you will surely know.


Thanks much, guys.

Idiot question here, but would I do that with certbot as I did originally? Will the new certificate overwrite the old one? or do I need to revoke or delete it first?


It’s a normal renew, don’t revoke the old certificate.

The old will expire, then it’s dead.


Thanks JuergenAuer!

So, I could just run “certbot --apache”, select my domains, and this will create new certificates?


If you change your configuration badly, then it will not work.

So the only correct answer: I don’t know it.

Do it. Then you will see, if it works.


Since I have startet my tool , I see so much terrible configurations.

It’s impossible to say what will happen in a few weeks.


congrats on your tool, JuergenAuer!

I think everything went well. Below is the new .conf file, does this look correct, as far as you can tell?

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = apache
installer = apache
account = ___
server =

1 Like
closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.