Schalk Burger

How to stop using TLS-SNI-01 with Certbot

Sunday, 5 January 2020

If you’re like me and use the excellent Certbot free HTTPS certificates service with your hosting provider, then you might not be aware that Let’s Encrypt has removed support for domain validation with TLS-SNI-01 due to vulnerabilities with the protocol.

You might have received an email titled “Action required: Let’s Encrypt certificate renewals” or are getting the error message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

If you received any of the above messages, then you may need to upgrade your Certbot and its configuration.

For this tutorial I will show you how to upgrade your Certbot on an Ubuntu system.

On Ubuntu systems, the Certbot team maintains a PPA. You can add it to your list of repositories and install Certbot by running the following commands.

1. Upgrade your Certbot to a version higher than 0.28

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache 

Confirm that your version is higher than 0.28 with the following command:

certbot --version || /path/to/certbot-auto --version

2. Remove any explicit references to tls-sni-01 in your renewal configuration:

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

3. Do a full renewal dry run

udo certbot renew --dry-run

If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go.

No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.