Encrypt TLS-SNI-01 validation is reaching end-of-life

If you are using Let’s Encrypt certification and have received an email to take action on renewal of your certificate.  That’s because lets Encrypt had announced last October 2018, that they will end support for TLS-SNI-01 validation method on February 13, 2019.  You need to update your ACME client to use an alternative validation method alternative validation method: HTTP-01, DNS-01 or TLS-ALPN-01. If no action taken you may have out-dated certificate for your domain.

To check your certbot version:

certbot –version

If have your server up to update, then the version should be 0.28.  If not you can upgrade your Certbot at https://certbot.eff.org/.   It will ask you to pick your software and system and it will give you detail documentation on how to upgrade, baased on your version of software/system.

To install for Apache, you can run this command:

sudo apt-get install python-certbot-apache

To test do a renewal dry run:

sudo certbot renew –dry-run

If everything goes well you should see Congratulation, all renewals succeeded, if it fails then you need to fix it. Take a look at log, firewall to make sure it’s not been blocked and try again.

Here is a link from Let’s Encrypt Community Support on How to stop using TLS-SNI-01 with Certbot Please update your server certificate to keep it secure.

Leave a Reply