If you do not know what Let's Encrypt is or have any need for setting up SSL certificates for websites, just close this page or go check out my new Topre Keyboard and learn more than you probably ever want to know about keyboards.

Anyone running a full node, or a website on nginx with SSL will likely run into this problem at some point. Knowing about it before your SSL certificate is about to expire will save a lot of sanity.

The problem

Today Let's Encrypt disabled tls-sni challenge authentication, the plugin used to authenticate you own a domain for nginx. This will affect a lot of users, especially full node admins and anyone using nginx with SSL. This means you will no longer be able to auto-authenticate Let's Encrypt to install a new certificate or renew an existing one. Instead, you will get the following error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

The solution

You can still use Let's Encrypt for free SSL certificates, but you will need to do things a bit differently and more manually.

If you are installing on a website that is hosted on port 80, you can use one of these two methods. If the site is on a custom port, you will need a more manual way I will show after.

If you are serving files (i.e. wordpress, or website)

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx -d <domain>

If you are not serving files (i.e. reverse proxy on a full node)

sudo certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx stop"

These methods will work if your site is available on port 80 and doesn't use a custom port which was my case. Keep note of when your 90 day certificate is going to expire as your auto-renewal will not likely work.

Test Renewal

sudo certbot renew --dry-run

Using custom port and manual authentication

Finally, if you are in the situation where I was in, where the site you are running is not exposed on port 80, you will need to do a manual authentication. I find a quick DNS TXT entry the quickest way to do this.

sudo certbot --manual certonly --preferred-challenges dns

It will walk you through the process and give you the entries to add to your domain. You will need to manually clean them up after you are done. The process is fairly quick as long as you are comfortable editing DNS.

Re-enable auto renewal

When the problem is resolved, you can re-enable renewals with this command.

sudo certbot --nginx -d <domain> --force-renewal

This just happened today, and I suspect a lot of people will get burned by this. I suspect not many here, but most people running full nodes are using Let's Encrypt and nginx.

My recent popular posts

• How curation rewards work and how to be a kick ass curator
• Markdown 101 - How to make kick ass posts on Steemit
• Work ON your business, not in your business! - How to succeed as a small business
• You are not entitled to an audience, you need to earn it!
• UFC Fight Pass and Steem Witness caught secretly mining cryptocurrency on their paid service
• Building a Portable Game Console