Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days

rachalmers · January 18, 2019, 9:41am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: robert-chalmers.uk and quantum-radio.net

I ran this command:

It produced this output:

My web server is (include version): Apache 4.2

The operating system my web server runs on is (include version): Mac OSX 10.14.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi,
Just received this email, and like many, I suspect, have no idea what it means.

I'm using "certbot" to renew certs on a regular basis.

/usr/local/bin/certbot renew

The following certs are not due for renewal yet:
/etc/letsencrypt/live/www6.robert-chalmers.uk/fullchain.pem expires on 2019-02-24 (skipped)
/etc/letsencrypt/live/www.quantum-radio.net/fullchain.pem expires on 2019-03-14 (skipped)
/etc/letsencrypt/live/robert-chalmers.uk/fullchain.pem expires on 2019-03-14 (skipped)
No renewals were attempted.

==============================
Hello,

Action is required to prevent your Let's Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:

Help - Let's Encrypt Community Support

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

Thank you,
Let's Encrypt Staff

_az · January 18, 2019, 9:44am

Most likely, all you need to do is ensure that Certbot is updated to the latest version from Homebrew (0.30+):

/usr/local/bin/certbot --version

and make sure that a renewal dry-run succeeds without complaints:

/usr/local/bin/certbot renew --dry-run

rachalmers · January 18, 2019, 9:52am

Thanks. Done. Needed the "--version" though to check

robert$ /usr/local/bin/certbot --version
certbot 0.30.0

system · February 17, 2019, 9:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Action required: Let's Encrypt certificate renewals Help	22	6097	February 20, 2019
Renewal done, but still expired Help	7	660	January 3, 2020
Action is required to prevent your Let's Encrypt certificate renewals from breaking Help	7	1448	February 17, 2019
"Your Let’s Encrypt client used ACME TLS-SNI-01..." Which one? Feature Requests	17	6750	February 20, 2019
Action is required to prevent your Let's Encrypt certificate renewals from breaking Ubunty 14.04 (Trusty Tahr) Help	32	6900	February 17, 2019

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days

Related Topics