[SOLVED] Let's Encrypt validation is reaching end of life

I jus terceive an e-mail from the Let’s Encrypt team :

Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.
If you already received a similar e-mail, this one contains updated
Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to

What should I do? This is a step process I’m understanding nothing. I ran this step just feeding command lines.

My /var/www/letsencrypt/letsencrypt.log is:

2019-02-03 23:10:51,516:DEBUG:certbot.main:Root logging level set at 30
2019-02-03 23:10:51,520:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-03 23:10:51,524:DEBUG:certbot.main:certbot version: 0.10.2
2019-02-03 23:10:51,524:DEBUG:certbot.main:Arguments: ['-q']
2019-02-03 23:10:51,527:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2019-02-03 23:10:51,620:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-03 23:10:51,620:DEBUG:certbot.renewal:no renewal failures

My Certbot version is : certbot 0.10.2
I’am using apache and everything is running on a Raspberry-pi, using Raspbian

Thanks for helping.

You need either a recent certbot or use some different parameters. There a different topics on that in the letsencrypt forum, e.g.

Well, Certbot v0.10.2 doesn’t support other validation methods than TLS-SNI-01.

I always recommend acme.sh as Let’s Encrypt client.

1 Like

So I try to upgrade certbot and pytho-certbot-apche from version 0.10 to 0.28.
An $ apt list *certbot* gives me :
certbot/stable 0.28.0-1~deb9u1 all [upgradable from: 0.10.2-1]
python-certbot-apache/stable 0.28.0-1~deb9u1 all [upgradable from: 0.10.2-1]

So it’s seems to be possible. But why isn’t it automatically done? (I know it’s not a straight NC answer).

Thanks. As all these certifications issues are difficult to understand for me I first try to find a solution through an update of certbot.

I answer to myself (sorry). It’s just I needed to do a dist-upgrade and not only apt or apt-get . Now certbot and python-certbot-apache are in 0.28 version.

I ran $ sudo certbot renew --dry-run
And got the following :

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/[MYWEBSERVER].conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [MYWEBSERVER]
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/[MYWEBSERVER]/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Running post-hook command: service apache2 start


  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Is that enough for my problem? thanks.
Last but not least have you got some easy reading on the web for me to understand all these certificates needs ans configuration etc… Thanks

Basically there are 3 steps to do and first one - upgrade to version 0.28 you already did.

Steps to do:

  1. Remove any explicit references to tls-sni-01 in your renewal configuration:
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
  1. Do a full renewal dry run:
sudo certbot renew --dry-run

If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.

1 Like

I ran all the lines above. Everything seems to went fine.
Thanks to all of you again. Amazing support on NC.

1 Like

I did this but got the following error:

"Attempting to renew cert (mywebsite.com) from /etc/letsencrypt/renewal/mywebsite.com.comf produced an unexpected error: Failed authorization procedure… …the client lacks sufficient authorization :: Invalid response form http://mywebsite.com/.well-known/acme-challenge-… all renewal attemps failed. the following certs could not be renewed: /etc/letsencrypt/life/mywebsite.com/fullchain.pem (failure)

The following errors were reported by the server:
Domain: mywebsite.com
Type: unauthorized
Detail: Invalid response from http://mywebsite.com/.well-known/acme-challenge/

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address."

Any help you guys could offer would be greatly appreciated! Thanks!

First of all check if you have port 80 and 443 open.
If you are running apache server, you can use --apache mode.
Also check this out: How can I resolve 'unauthorized' errors with Certbot in /.well-known?