Let's Encrypt Certificate Renewals (TLS-SNI-01 Validation)

If you've set up Let's Encrypt certificates in the past, you would've most likely received emails indicating that action is required in order to prevent upcoming renewals from breaking (starting Feb. 13, 2019).

Depending on your deployment, you can test against their staging environment which has TLS-SNI-01 disabled here: https://letsencrypt.org/docs/staging-environment/. Most people would use Certbot for ease of installation and some work is required to keep it running without issues. Steps are as follows:

1. Check if Certbot is 0.28 or newer

certbot --version || /path/to/certbot-auto --version

2. If it's older than 0.28 then follow instructions on https://certbot.eff.org/ to update

3. Remove references to tls-sni-01 in your configuration

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

4. Do a dry run to test

sudo certbot renew --dry-run

If the dry run is successful and Certbot is 0.28 or higher then all is well. If there are any failures, fix the errors and rerun. Sometimes errors could be server availability especially for their staging environment. You can see status information here: https://letsencrypt.status.io/

Vincent Seow

Vincent Seow