TLS-SNI-01 validation is reaching end-of-life

What do i really have to do? how can i see wich is my sutuaction? how can i fix it, in case i’m wrong?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kevingston.com

I ran this command: No one, i`ve just received an email with this warning, that obviously get me nervious.

It produced this output: My personal worry!

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: not hosting. It runs on aws EC2 machine (amazon)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @matiassklar

your certificate is valide, so this isn't a critical problem.

Check your Certbot version, perhaps update it.

If the renew doesn't work (~~ start 02-2019), try

.--preferred-challenges http

an open port 80 is required.

What if i dont want to allow the 80 port? thnx in advance.

Thanks for your fast reply. So my renew may fail on february? if yes it is critical situation endeed. I dont know what “try .–preferred-challenges http” means. Do I have to add that to any script?

  • My inbound port 80 is opened.
  • My certbot version is 0.14.2

I’m not expert only another user, but a read somewhere that:
open /etc/letsencrypt/cli.ini
and add to the end: preferred-challenges = http
than renew the certboot with dryrun to check any error.
After anything is fine, than renew the certboot.

It means that certbot should use http validation, not tls-sni-validation.

If your port 80 is open and http works, this is good. But your certbot looks very old. Check

if there is an update.

Could you help me pls…
What if i dont want to use port:80?
How can i solve the emailed tls-sni question.

My cetbot – version is: 0.26.1
I have only one domain.
BUT i do not use the standard ports: 80 and 443. I use anothers instead.
The cerbot is working fine know, but i do not know what will be later.

I ran this commands to do the certbot update:
sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update sudo apt-get install python-certbot-apache

Now the certbot version is 0.28.0.

I ran again “sudo certbot renew --dry-run” and this is the result. Can you tell me if now finally i am using http validation as you suugested, instead of TLS-SNI-01? and if i am now OK for further renewals, or i have to change something else?

Here the result of “sudo certbot renew --dry-run”:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/kevingston.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kevingston.com
http-01 challenge for www.kevingston.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/kevingston.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/kevingston.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


You should be fine for regular renewals.

Thanks all for help in this issue.

1 Like

see: ACME TLS-SNI-01 Email -- Inboud Port 80 closed by design - #3 by jmorahan

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.