Upgrade Certbot to version 0.28 or higher to stop using TLS-SNI-01

Bug #1812366 reported by Dominic Raferd on 2019-01-18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
python-certbot (Ubuntu)

Bug Description

This version (0.23.0-1) is now outdated and I believe this is why I receive warning mails from letsencrypt like this:


**Action is required to prevent your Let's Encrypt certificate renewals from breaking.**

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on **February 13th, 2019.**

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.

If you need help updating your ACME client, please open a new topic in the Help category of the Let's Encrypt community forum:


Please answer all of the questions in the topic template so we can help you.

For more information about the TLS-SNI-01 end-of-life please see our API announcement:


Thank you,
  Let's Encrypt Staff

Ricardo (rjpinto) wrote :

Just wanted to reinforce that there is a high probability that all Ubuntu LTS servers will start failing to renew Let's Encrypt certificates as the minimum version for certbot should be 0.28 to fix TLS-SNI-01 problems.

I am sure I am not the only one using only Let's Encrypt for multiple sites and servers. Would be really cool if you would backport the package from disco to cosmic and bionic and prevent the TLS apocalypse. :)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-certbot (Ubuntu):
status: New → Confirmed
Ricardo (rjpinto) wrote :

The workarond is to use packages for Ubuntu from the following PPA

tags: added: bionic
tags: added: upgrade-software-version
summary: - outdated version, please update
+ Upgrade Certbot to version 0.28 or higher to stop using TLS-SNI-01
Changed in python-certbot (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers