Upcoming TLS-SNI Deprecation in Certbot


In Certbot 0.28.0 (the November 2018 release), Certbot will begin to prefer the HTTP-01 challenge type to the TLS-SNI-01 challenge type when both are available.

Users who first obtained a certificate for their domain before January 2018 and have not changed the account they use to issue certificates for those domains may encounter issues when Certbot attempts to automatically renew their certificates.

Certificates obtained for other domains since then have already been using the HTTP-01 validation method for initial issuance, and are unlikely to encounter new issues from this change.

The Certbot team recommends that users test manually from the command line in advance of certificate expiry. To use the HTTP-01 challenge type regardless of Certbot version, add the flag --preferred-challenges http-01,dns-01 at the command line. For example:

certbot renew --dry-run --preferred-challenges http-01,dns-01

Users encountering errors may need to fix their firewall settings to allow incoming connections on port 80. Some resources about configuring a firewall are available here for Debian and Ubuntu users, here for CentOS 7 users, and here for other Linux users.

Between November and February (when the TLS-SNI-01 challenge type is deprecated at the server end), users who have been relying on TLS-SNI-01 can use the flag --preferred-challenges tls-sni-01 as a temporary patch to get a certificate quickly, before correcting the configuration.

Certbot 0.28.0 Release