Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: and

I ran this command:

It produced this output:

My web server is (include version): Apache 4.2

The operating system my web server runs on is (include version): Mac OSX 10.14.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Just received this email, and like many, I suspect, have no idea what it means.

I’m using “certbot” to renew certs on a regular basis.

/usr/local/bin/certbot renew

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ expires on 2019-02-24 (skipped)
/etc/letsencrypt/live/ expires on 2019-03-14 (skipped)
/etc/letsencrypt/live/ expires on 2019-03-14 (skipped)
No renewals were attempted.


Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

Thank you,
Let’s Encrypt Staff


Most likely, all you need to do is ensure that Certbot is updated to the latest version from Homebrew (0.30+):

/usr/local/bin/certbot --version

and make sure that a renewal dry-run succeeds without complaints:

/usr/local/bin/certbot renew --dry-run


Thanks. Done. Needed the “–version” though to check

robert$ /usr/local/bin/certbot --version
certbot 0.30.0


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.