If you do not know what Let's Encrypt is or have any need for setting up SSL certificates for websites, just close this page or go check out my new Topre Keyboard and learn more than you probably ever want to know about keyboards.
Anyone running a full node, or a website on nginx with SSL will likely run into this problem at some point. Knowing about it before your SSL certificate is about to expire will save a lot of sanity.
The problem
Today Let's Encrypt disabled tls-sni challenge authentication, the plugin used to authenticate you own a domain for nginx. This will affect a lot of users, especially full node admins and anyone using nginx with SSL. This means you will no longer be able to auto-authenticate Let's Encrypt to install a new certificate or renew an existing one. Instead, you will get the following error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
The solution
You can still use Let's Encrypt for free SSL certificates, but you will need to do things a bit differently and more manually.
If you are installing on a website that is hosted on port 80, you can use one of these two methods. If the site is on a custom port, you will need a more manual way I will show after.
If you are serving files (i.e. wordpress, or website)
sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx -d <domain>
If you are not serving files (i.e. reverse proxy on a full node)
sudo certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx stop"
These methods will work if your site is available on port 80 and doesn't use a custom port which was my case. Keep note of when your 90 day certificate is going to expire as your auto-renewal will not likely work.
Test Renewal
sudo certbot renew --dry-run
Using custom port and manual authentication
Finally, if you are in the situation where I was in, where the site you are running is not exposed on port 80, you will need to do a manual authentication. I find a quick DNS TXT entry the quickest way to do this.
sudo certbot --manual certonly --preferred-challenges dns
It will walk you through the process and give you the entries to add to your domain. You will need to manually clean them up after you are done. The process is fairly quick as long as you are comfortable editing DNS.
Re-enable auto renewal
When the problem is resolved, you can re-enable renewals with this command.
sudo certbot --nginx -d <domain> --force-renewal
This just happened today, and I suspect a lot of people will get burned by this. I suspect not many here, but most people running full nodes are using Let's Encrypt and nginx.
My recent popular posts
- How curation rewards work and how to be a kick ass curator
- Markdown 101 - How to make kick ass posts on Steemit
- Work ON your business, not in your business! - How to succeed as a small business
- You are not entitled to an audience, you need to earn it!
- UFC Fight Pass and Steem Witness caught secretly mining cryptocurrency on their paid service
- Building a Portable Game Console
Hey. Very interesting to read thanks for the info its big part of our life. Thanks for sharing!
I guess there are not that many sys admins following you:)
I usually let handle plesk for my private server with that stuff. Exchanging certificates can be quite fun in prod env:)
Do you have a running django env anywhere?
I was mostly pointing this out for full node admins, and whoever else might be doing it, but I suspect Steemit in generally isn't the ideal audience.
I do not run django, I do use python and if I did anything web facing (which I freaking hate touching web) I'd probably use Flask or NodeJS.
Encryption is the key for for evrything cryptocurrencies are based on this encryption is part of our life
WOW great stuff. Thanks for sharing.
thanks in advance making my site on wordpress
Topre Keyboard is really the best intense of efficiency, nice post great information.
@themarkymark, very interesting. I'm not running a full node, but I have several sites that are using Let's Encrypt Certificates with the auto-renewal turned on. In reading their post about the vulnerability it looks like they are confident they can fix the issue and turn back on the tls-sni challenge. I'm going to have to look at all my certificates now. Here's to hoping they fix the issue before my 90 day renewal comes up.
Yeah, I believe it will be enabled again but it is more difficult to make new certificates and existing renewals will fail. If they fail on a production system it could be a lot of headaches to deal with it at the last second.
Couldn't agree more. Luckily, while most of my servers are considered "production" if they were to fail it wouldn't be devastating for anyone who uses them. All the same, I should probably take your advice here and change the way my renewals work. Thanks again for the info!
Good work tho. .. you can find you can find some useful articals here
https://steemit.com/ache/@regalsoldier/how-to-creat-a-free-website