Let's Encrypt ACME TLS-SNI-01 end of life

Posted January 18, 2019 21.5k views
UbuntuLet's Encrypt

I received this email today and wanted to know what I should do, server wise.


Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

Thank you,
Let’s Encrypt Staff

1 comment
  • sed: couldn’t edit /etc/letsencrypt/renewal/systemctl start nginx: not a regular file

    i got above error message when i run this

    sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

    how should i fix it?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
5 answers

I believe you do not have to do anything if you are using “python-certbot-apache” package to automatically renew the certificates.
Do the following in order to see if it uses “tls-sni-01” or “http-01” to renew your certificates. If it uses “http-01” you are all fine.

$ sudo certbot renew --dry-run

If the dry run is successful, you do not have to do anything.
If not, just update your packages and it would probably use “http-01” to update your certificates automatically.

$ sudo apt-get update
$ sudo apt-get upgrade

After executing the above, run the dry run again to see if it works correctly.

  • I am having the same issue.

    First I did:

    sudo apt-get update
    sudo apt-get upgrade
    sudo service nginx restart

    Then I did:

    sudo certbot renew --dry-run


    Performing the following challenges:
    tls-sni-01 challenge for

    Then I tried:

    sudo certbot renew --dry-run --preferred-challenges http-01


    ...produced an unexpected error: None of the preferred challenges are supported by the selected plugin...

    I don’t know what to do to change from tls-sni-01 to HTTP-01. Please help me

    • I had the same problem. You just need to update your certificate config files before attempting to use the HTTP-01 challenge. Simply edit your /etc/letsencrypt/renewal/<domain>.conf by commenting out the current [renewalparams] section and replace it with the following,

      authenticator = webroot
      installer = None
      account = <account-id>
      <domain> = <document-root>

      Do this for each config file in your /etc/letsencrypt/renewal/ directory. Also, if the same certificate applies to multiple domains (for example a www and a non-www version of the same domain), you can add multiple lines under the webroot_map one for each domain.

      Then run sudo certbot renew --dry-run again and hopefully this time it should be able to renew the certificate using the HTTP-01 change. Hope that helps.

      • It worked! Thank you very much!

      • Great instructions it fixed it for me too!

        Just FYI for anyone else who is doing this. You may get an error if you don’t include both the www and the non-www version of your domains. So mine started to work when I did:

        <domain>.com = <document-root>
        www.<domain>.com = <document-root>
      • I followed these above instructions, but it isn’t working for me. Does anything change for an nginx server?

        I replaced:

        authenticator = nginx
        installer = nginx
        account = <account-id>


        authenticator = webroot
        installer = None
        account = <account-id>
        [[webroot_map]] = /var/www/ = /var/www/

        And on running sudo certbot renew --dry-run it successfully attempts an HTTP-01 challenge. However, I am getting the following error (where I’ve replaced my domain name with

        Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<!DOCTYPE html>\n<html lang=\"en-US\"\n\titemscope \n\titemtype=\"\" \n\tprefix=\"og:\" >\n<head>\n<". Skipping.

        … (a bunch of other stuff for the other domains) …

        To fix these errors, please make sure that your domain name was
        entered correctly and the DNS A/AAAA record(s) for that domain
        contain(s) the right IP address. Additionally, please check that
        your computer has a publicly routable IP address and that no
        firewalls are preventing the server from communicating with the
        client. If you're using the webroot plugin, you should also verify
        that you are serving files from the webroot path you provided.

        I tried creating a test file in .well-known/acme-challenge and when I go to, it successfully autodownloads the test file.


  • Update and upgrade was all I needed, thanks!

When i renew i am getting this message

DRY RUN: simulating ‘certbot renew’ close to cert expiry what is it mean?

  • As far as I know, the ’–dry-run’ parameter just simulate. And just do it with the certificates that are close to expire.
    If you want realy want to renew it, remove the ’–dry-run’ parameter.

I am good right?

[~# sudo certbot renew –dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ (success)
** DRY RUN: simulating 'certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


I got an error that is Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ (failure). what should I do?

I had the same issue, updating and messing up with config file did not work for me. All I needed to do is update my certbot as outlined in
I just run the following commands:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache

and skipped the Installing DNS plugins part as I was afraid it would mess up my configuration.

After that, I removed any explicit references to tls-sni-01 in my renewal configuration using:

sudo sh -c “sed -i.bak -e ’s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

as explained here:

sudo certbot renew –dry-run

and it worked like charm.

It took me a couple of hours of searching for the right solution and once I found it 5 min to fix it Hope that it’ll save someone some time. Cheers!