TLS-SNI-01 validation is reaching end-of-life

Hi @UbikMZ! I want to emphasize what Osiris has said - there are a lot of people here working hard on their spare time to give you help for free. For my part, I do apologize for the late notice you receive about TLS-SNI deprecation. And as tdelmas said, you’ve actually got a lot longer than you think - you’ve got 90 days from the issuance of your last certificate, whenever that was.

It sounds like you have particularly in-depth needs for support, so you might benefit from paying a commercial CA for a certificate and using their paid support.

1 Like

Just to be clear: The TLS problem has been on-going for over one year.
See: March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

Hi @jsha
Thanks for your message.
I have already expressed my thanks to your team for their time and efforts.
I don’t think the configuration of my server is that complicated and my knowledge of it so low to require in depth help just to upgrade.
However I’ll be glad to pay for it just to stop the nightmare I have been living for a couple of days and nights.
Would you be so kind to provide the way to join this support ?
Kind regards.

Sure, if you Google “ssl certificate,” you’ll find a number of paid options. You should click around to find one that offers a support package you like for a reasonable price.


Hi Jacob
I was wondering if I could stay with you paying for the support.
Concerning other CA providers I already started research to find an alternative.
Kind regards

You could always donate, but that wouldn't make any difference in the amount of support you'd get. This volunteer based community service is all there really is.

1 Like

Hi Rudy
Welcome back:grinning:
Even though this problem is going for a year I got informed about it just a couple of days ago.
Thanks again for your help the other night. It helped me to avoid a disaster.

1 Like

Your very welcome.
Although I haven’t been able to resolve why the http challenges don’t work…
We did manage to get you 90 days to resolve this problem.
I’m sure someone here can figure this out long before that time comes.
You need not worry (so much) about this.


1 Like

You did the best possible job it was possible to do in the mess in which I have landed.
In the night of 12 - 13 I’ll be flying to Patagonia.
If my system doesn’t work as from February 13, I’m jobless when I’m back.
Not easy to be relax in that configuration.
Understandable isn’t it ? :sunglasses:

I think you have misunderstood what is expected to happen on/after Feb 13.

Nothing is expected to happen that will stop your cert from working until its’ expiration date:

which is May 2.
So we have until then to figure out how to get the automation process working with HTTP-01.


A post was split to a new topic: What to do if tls-sni is deprecated?

Thanks - I’ve received very good communication about this from you and it’s been easy to change the verification method to the new one.


Good info,
Can it be that by me

Options used in the renewal process

authenticator = webroot
installer = apache
[[webroot_map]] = /var/www/ecoviewater/public_html = /var/www/ecoviewater/public_html

webroot_map section does not exist ?
Is this section mandatory ?

It gets created automatically when --webroot is used (successfully) to get a cert / renew a cert.

1 Like

yes, i’m sure you helped out :wink: Great community - thanks once again.

1 Like

have you enabled fail2ban or anything else which might block Amazon IPs?
I did that, and then HTTP-01 renewal stopped working because several of the LetsEncrypt servers are hosted on Amazon.
Took a while to diagnose…

1 Like

I sympathize with UbikMZ, while fully respecting that people around here are volunteers.

It is a pity that Let’s Encrypt does not go for a commercial service with decent support. We would be happy to pay for that.

As it is, this “TLS-SSN-01” issue is just frustration for me. There aren’t even instructions for how to check if anything at all needs to be done. I still do not know if I should spend time on this or not.

Hi @joheben
I feel less alone now.

The first thing to do is to check your certification validity. You can get this info here: SSL Server Test (Powered by Qualys SSL Labs)

The info you'll get there will let you know how much time left you have to migrate.
How you have to do it is another question.
I suppose many people have succeeded, I have failed.

2 posts were split to a new topic: Certificates on failover server / listing certificates with methods

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.