Let's Encrypt ACME TLS-SNI-01 end of life

January 18, 2019 11.2k views
Let's Encrypt

I received this email today and wanted to know what I should do, server wise.

Hello,

Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let’s Encrypt community forum:

https://community.letsencrypt.org/c/help

Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:

https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Thank you,
Let’s Encrypt Staff

1 comment
  • sed: couldn’t edit /etc/letsencrypt/renewal/systemctl start nginx: not a regular file

    i got above error message when i run this

    sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
    

    how should i fix it?

5 Answers
aminakbari94 January 18, 2019
Accepted Answer

I believe you do not have to do anything if you are using “python-certbot-apache” package to automatically renew the certificates.
Do the following in order to see if it uses “tls-sni-01” or “http-01” to renew your certificates. If it uses “http-01” you are all fine.

$ sudo certbot renew --dry-run

If the dry run is successful, you do not have to do anything.
If not, just update your packages and it would probably use “http-01” to update your certificates automatically.

$ sudo apt-get update
$ sudo apt-get upgrade

After executing the above, run the dry run again to see if it works correctly.

  • I am having the same issue.

    First I did:

    sudo apt-get update
    sudo apt-get upgrade
    sudo service nginx restart
    

    Then I did:

    sudo certbot renew --dry-run
    

    Result:

    ...
    Performing the following challenges:
    tls-sni-01 challenge for mysite.com
    ...
    

    Then I tried:

    sudo certbot renew --dry-run --preferred-challenges http-01
    

    Result:

    ...produced an unexpected error: None of the preferred challenges are supported by the selected plugin...
    

    I don’t know what to do to change from tls-sni-01 to HTTP-01. Please help me

    • I had the same problem. You just need to update your certificate config files before attempting to use the HTTP-01 challenge. Simply edit your /etc/letsencrypt/renewal/<domain>.conf by commenting out the current [renewalparams] section and replace it with the following,

      [renewalparams]
      authenticator = webroot
      installer = None
      account = <account-id>
      [[webroot_map]]
      <domain> = <document-root>
      

      Do this for each config file in your /etc/letsencrypt/renewal/ directory. Also, if the same certificate applies to multiple domains (for example a www and a non-www version of the same domain), you can add multiple lines under the webroot_map one for each domain.

      Then run sudo certbot renew --dry-run again and hopefully this time it should be able to renew the certificate using the HTTP-01 change. Hope that helps.

      • It worked! Thank you very much!

      • Great instructions it fixed it for me too!

        Just FYI for anyone else who is doing this. You may get an error if you don’t include both the www and the non-www version of your domains. So mine started to work when I did:

        [[webroot_map]]
        <domain>.com = <document-root>
        www.<domain>.com = <document-root>
        
      • I followed these above instructions, but it isn’t working for me. Does anything change for an nginx server?

        I replaced:

        [renewalparams]
        authenticator = nginx
        installer = nginx
        account = <account-id>
        

        with:

        [renewalparams]
        authenticator = webroot
        installer = None
        account = <account-id>
        [[webroot_map]]
        mydomain.com = /var/www/mydomain.com/html
        www.mydomain.com = /var/www/mydomain.com/html
        

        And on running sudo certbot renew --dry-run it successfully attempts an HTTP-01 challenge. However, I am getting the following error (where I’ve replaced my domain name with mydomain.com).

        Failed authorization procedure. mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/8Ss6SJvu9r6exwrn4QjADsMhzJwXDXoBM8ta4dMqR6Q: "<!DOCTYPE html>\n<html lang=\"en-US\"\n\titemscope \n\titemtype=\"http://schema.org/WebSite\" \n\tprefix=\"og: http://ogp.me/ns#\" >\n<head>\n<". Skipping.

        … (a bunch of other stuff for the other domains) …

        To fix these errors, please make sure that your domain name was
        entered correctly and the DNS A/AAAA record(s) for that domain
        contain(s) the right IP address. Additionally, please check that
        your computer has a publicly routable IP address and that no
        firewalls are preventing the server from communicating with the
        client. If you're using the webroot plugin, you should also verify
        that you are serving files from the webroot path you provided.

        I tried creating a test file in .well-known/acme-challenge and when I go to http://mydomain.com/.well-known/acme-challenge/test, it successfully autodownloads the test file.

        Help?

        • The first time I tried to set this up I got the document root wrong for one of my domains and as a result when it attempted to access the verification file in .well-known/acme-challenge it resulted to a 404.

          In your case however your server does actually appear to be sending back some HTML instead of a 404, but not the expected file. Does the following HTML code look familiar? Could it be part of a website?

          <!DOCTYPE html>\n<html lang=\"en-US\"\n\titemscope \n\titemtype=\"http://schema.org/WebSite\" \n\tprefix=\"og: http://ogp.me/ns#\" >\n<head>\n<
          

          Because I suspect you might have an issue with your server configuration.

  • Update and upgrade was all I needed, thanks!

When i renew i am getting this message

DRY RUN: simulating ‘certbot renew’ close to cert expiry what is it mean?

  • As far as I know, the ’–dry-run’ parameter just simulate. And just do it with the certificates that are close to expire.
    If you want realy want to renew it, remove the ’–dry-run’ parameter.

I am good right?

[~# sudo certbot renew –dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mydomainname.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomainname.com
http-01 challenge for www.mydomainname.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/mydomainname.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mydomainname.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


]

I got an error that is Attempting to renew cert (www.mysite.com) from /etc/letsencrypt/renewal/www.mysite.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.mysite.com/fullchain.pem (failure). what should I do?

I had the same issue, updating and messing up with config file did not work for me. All I needed to do is update my certbot as outlined in https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache
I just run the following commands:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache

and skipped the Installing DNS plugins part as I was afraid it would mess up my configuration.

After that, I removed any explicit references to tls-sni-01 in my renewal configuration using:

sudo sh -c “sed -i.bak -e ’s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

as explained here:

https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Run
sudo certbot renew –dry-run

and it worked like charm.

It took me a couple of hours of searching for the right solution and once I found it 5 min to fix it Hope that it’ll save someone some time. Cheers!

Have another answer? Share your knowledge.