TLS-SNI-01 validation is reaching end-of-life

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot renew --dry-run

It produced this output: tls-sni-01 challenge for

My web server is (include version): nginx version: nginx/1.15.6

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

What does “certbot --version” show?

Does it work if you run “sudo certbot renew --dry-run --preferred-challenges http-01,dns-01”?

Hi, I am able to get new certs using sudo certbot --nginx --preferred-challenges http
May be it help.

Certbot version: 0.23.0
Yes, it does work with “sudo certbot renew --dry-run --preferred-challenges http-01,dns-01”

You should be safe, then.

Certbot 0.23.0 is new enough that it supports HTTP validation, but old enough that it will continue to use TLS-SNI validation by default until Let’s Encrypt disables it.

You could upgrade to a newer version of Certbot that uses HTTP validation by default, but you don’t really have to.

If you run “grep pref_challs /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal/*”, are any of your certificates forcing TLS-SNI validation?


For posterity, the grep command above only half works. It should have been:

grep preferred-challenges /etc/letsencrypt/cli.ini
grep pref_challs /etc/letsencrypt/renewal/*

See also:

I upgraded Certbot (0.28.0). All is fine now. Thanks for the help.

1 Like

Hello… Looking forward to some help.

No matter what I do, I cant renew using http. It ALWAYS goes to tls-sni

I am on Ubuntu 16.
Certbot 0.28

I see NO references to tls-sni in my conf files anywhere.
I have tried forcing the preferred challenge to HTTP-01… but it always attempts to use tls-sni

certbot --dry-run

certbot --force-renew

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssconf

I have scoured the /etc/letsencrypt folder for ANY references to tls-sni

grep -iRl “tls” ./

(no hits)

I have tried adding HTTP as a preferred challenge both in the client.ini and the domain renewal file itself… again, NO change in behavior… it continues using tls-sni


@curmudgeon, which authenticator plugin are you using?

Be sure you left cli.ini as you found it (without changes).

certbot renew --preferred-challenges http --force-renewal

dude… BOOM

Well… All is well… it worked… but I am still curious why it was defaulting to TLS-SNI. What is the answer? Why did it ignore settings in the renewal file (to prefer http) and yet worked when invoked from the command line?

Thank you for the help…

Have a wonderful day,


1 Like

my guess is a TYPO
[human interaction is flawed - LOL]

I am with ya… and God knows I have misspelled plenty.

But if you misspell the conf file it says “option not known”… a message I received, corrected, and proceeded to try again.

No error message followed, but it insisted on using tls-sni.

Oh well

All’s well that ends well :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.