Acme client update

i got an email from lets encrypt see below

Action may be required to prevent your Let’s Encrypt certificate renewals
from breaking.

If you already received a similar e-mail, this one contains updated

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account): ( on 2018-12-23 ( on 2018-12-23

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.

You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to

Our staging environment already has TLS-SNI-01 disabled, so if you’d like
to test whether your system will work after February 13, you can run
against staging:

If you’re a Certbot user, you can find more information here:

Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:

For more information about the TLS-SNI-01 end-of-life please see our API

I don’t understand what I should do?

Let’s Encrypt now requires that certificates are created with HTTP DNS or TLS validation. Which in practical terms means you need to issue a new certificate with one of those validation options. These are the steps you need to follow to upgrade the Let’s Encrypt client:

Download the latest version of lego:

cd /tmp
curl -s | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -

Extract the tarball:

tar xf lego_vX.Y.Z_linux_amd64.tar.gz

You need to replace X Y and Z with the version number of the downloaded file. You can check it with the following command:

ls lego_*

Move the lego binary to the /usr/local/bin/

sudo mv lego /usr/local/bin/lego

Then source .bashrc to load the binary your PATH:

source ~/.bashrc

Then you need to issue a new certificate, following the steps in this guide:

Please, click on :heart: if you think my answer was helpful

thanks it is working.

thanks for perfect solutions
now you can close the case.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.