TLS-SNI-01 validation is reaching end-of-life


What do i really have to do? how can i see wich is my sutuaction? how can i fix it, in case i’m wrong?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: No one, i`ve just received an email with this warning, that obviously get me nervious.

It produced this output: My personal worry!

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: not hosting. It runs on aws EC2 machine (amazon)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

TLS-SNI-01 validation end-of-life: What to do?

Hi @matiassklar

your certificate is valide, so this isn’t a critical problem.

Check your Certbot version, perhaps update it.

If the renew doesn’t work (~~ start 02-2019), try

.--preferred-challenges http

an open port 80 is required.


What if i dont want to allow the 80 port? thnx in advance.


Thanks for your fast reply. So my renew may fail on february? if yes it is critical situation endeed. I dont know what “try .–preferred-challenges http” means. Do I have to add that to any script?

  • My inbound port 80 is opened.
  • My certbot version is 0.14.2


I’m not expert only another user, but a read somewhere that:
open /etc/letsencrypt/cli.ini
and add to the end: preferred-challenges = http
than renew the certboot with dryrun to check any error.
After anything is fine, than renew the certboot.


It means that certbot should use http validation, not tls-sni-validation.

If your port 80 is open and http works, this is good. But your certbot looks very old. Check

if there is an update.


Could you help me pls…
What if i dont want to use port:80?
How can i solve the emailed tls-sni question.

My cetbot – version is: 0.26.1
I have only one domain.
BUT i do not use the standard ports: 80 and 443. I use anothers instead.
The cerbot is working fine know, but i do not know what will be later.


I ran this commands to do the certbot update:
sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update sudo apt-get install python-certbot-apache

Now the certbot version is 0.28.0.

I ran again “sudo certbot renew --dry-run” and this is the result. Can you tell me if now finally i am using http validation as you suugested, instead of TLS-SNI-01? and if i am now OK for further renewals, or i have to change something else?

Here the result of “sudo certbot renew --dry-run”:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


You should be fine for regular renewals.


Thanks all for help in this issue.


see: ACME TLS-SNI-01 Email -- Inboud Port 80 closed by design


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.