With the upcoming deprecation of TLS-SNI-01, Let’s Encrypt certificate renewals may start breaking for some clients. For more information regarding the TLS-SNI-01 ACME protocol deprecation see Bulletproof TLS Newsletter #37.
As per Let’s Encrypt’s recent notification, “It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019”.
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
Here is how we performed an Ubuntu Certbot Update for our Ubuntu 18.04 LTS (bionic) web servers. As in every technical change, please test in a lab before implementing in a production environment.
Ubuntu Certbot Update
Check your current version of Certbot:
If your Certbot version is older than 0.28.0, then it should be updated. Here is how to perform an Ubuntu Certbot Update.
Run the following commands.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo apt-get upgrade
If you get error message “The following packages have been kept back”, upgrade the listed packages explicitly.
sudo apt-get upgrade certbot
Install the remaining kept-back packages.
sudo apt-get upgrade
Validate you have the latest version of Certbot.
Now, you are ready to validate certificate renewal using the new version of Certbot.
sudo certbot renew --dry-run