TLS-SNI-01 validation is reaching end-of-life

mnordhoff · January 18, 2019, 11:47am

You should be safe, then.

Certbot 0.23.0 is new enough that it supports HTTP validation, but old enough that it will continue to use TLS-SNI validation by default until Let's Encrypt disables it.

You could upgrade to a newer version of Certbot that uses HTTP validation by default, but you don't really have to.

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

If you run "grep pref_challs /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal/*", are any of your certificates forcing TLS-SNI validation?

Edit:

For posterity, the grep command above only half works. It should have been:

grep preferred-challenges /etc/letsencrypt/cli.ini
grep pref_challs /etc/letsencrypt/renewal/*

Topic		Replies	Views
Upgrade guide for TLS-SNI-01 validation is reaching end-of-life? Help	38	4892	February 27, 2019
TLS-SNI-01 validation is reaching end-of-life Help	11	998	February 20, 2019
TLS-SNI-01 end of life / HTTP-01 with version 0.22 Help	12	961	February 28, 2019
Update for TLS-SNI-01 - now certbot fails on 'Cryptography_HAS_DTLS' Help	15	2388	March 17, 2019
Challenge type "tls-sni-01" no longer allowed Help	5	2315	November 14, 2018

TLS-SNI-01 validation is reaching end-of-life

Related topics