How to stop using TLS-SNI-01 with Certbot

Let’s Encrypt are beginning to remove support for domain validation using TLS-SNI-01 and, If you are already using Let’s Encrypt then you will have already had an email notifying you of this change titled ‘Action required: Let’s Encrypt certificate renewals’ or you may be getting the following error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

To resolve this issue you may need to upgrade your Certbot and it’s configuration.

Update Certbot and Configuration

If you only received an email, then it’s possible that you’ve upgraded Certbot in the time since the last TLS-SNI validation mentioned in the email, in which case you should be fine and these instructions tell you how to check.

Confirm the Certbot version is 0.28 or higher

To get the version number of your Certbot installation execute the following command:

certbot --version || /path/to/certbot-auto --version

If the version is less than 0.28, you need to upgrade your Certbot. You can download the latest version from https://certbot.eff.org and follow the instructions for your server.

Remove explicit references to tls-sni-01 in your renewal configuration:

This is achieved by executing the following command:

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

And then do a renewal dry-run with:

sudo certbot renew --dry-run

If the dry run succeeds, and your Certbot version is 0.28 or higher, then no further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.

If you get a connection refused or connection timeout, you may have a firewall blocking port 80. tls-sni-01 used port 443, but http-01 uses port 80. Ideally, your web server should allow both ports. If that’s not possible, for instance, because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.