Question
Let's Encrypt ACME TLS-SNI-01 end of life
- Posted on January 18, 2019
- Let's EncryptUbuntu
Asked by nilssonvik
I received this email today and wanted to know what I should do, server wise.
Hello,
Action is required to prevent your Let’s Encrypt certificate renewals from breaking.
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.
TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:
https://community.letsencrypt.org/c/help
Please answer all of the questions in the topic template so we can help you.
For more information about the TLS-SNI-01 end-of-life please see our API announcement:
Thank you, Let’s Encrypt Staff
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
I believe you do not have to do anything if you are using “python-certbot-apache” package to automatically renew the certificates. Do the following in order to see if it uses “tls-sni-01” or “http-01” to renew your certificates. If it uses “http-01” you are all fine.
If the dry run is successful, you do not have to do anything. If not, just update your packages and it would probably use “http-01” to update your certificates automatically.
After executing the above, run the dry run again to see if it works correctly.
When i renew i am getting this message
DRY RUN: simulating ‘certbot renew’ close to cert expiry what is it mean?
I am good right?
[~# sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/mydomainname.com.conf
Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for mydomainname.com http-01 challenge for www.mydomainname.com Waiting for verification… Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/mydomainname.com/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mydomainname.com/fullchain.pem (success) ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates above have not been saved.)
]