Latest let-encrypt error - January 10, 2018 02:16 UTC[Investigating] The tls-sni challenge has been disabled due to strong credibility of a vulnerability report

i finally decided to do lets-encrypt on my live (now regretting),
i get the following error while doing so

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

when i searched online i found this

looks like a recent issue with lets-encrypt …

But now my site is stuck on sorry! we will be back soon screen.

how do i undo it?

Thanks

try to clear browser data / cache or maybe use a different browser
and see if you can still open the site?

What did you run to setup letsencrypt?

Run bench setup nginx in frappe-bench and then sudo service nginx restart

@tlie @vjFaLk ,

I did normal procedures ,

Sudo bench setup lets-encrypt

i think its not a ERPNext issue , there was a security incident with lets-encrypt ,

for the time being i have solved my urgency by doing set-maintainance-mode off
will have to try again after the problem is solved from lets-encrypt side.

refer above link.
and https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241

Thanks

2 Likes

having the same problem

looking at this solution now https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

still down though https://letsencrypt.status.io/

The method used by ERPNext in its lets-encrypt implementation cannot be used i.e TLS-SN

According to Forum They will try and make it up again in the next 48 hours,

Till then I think you should announce to the ERPNext users to hold to setting up the secure connection ,Else they could face issues and down their live site.

Thanks

According to their latest update - https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 - it will be permanently disabled for new accounts.

Have created issue

1 Like

@johnskywalker,
How would we setup lets-encrypt now on erpnext?

Any way ?

Hi @kt2152,

there is a manual procedure to issue certificates:

$ sudo service nginx stop
$ sudo certbot certonly
(enter mode)2: standalone
(enter domain)www.example.com
$ sudo service nginx start 

This has worked with ERPNext. It remains open how to renew automatically…

3 Likes

Could you tell the dependencies required for this?
i am getting sudo: certbot: command not found on the second command

Thanks

You need to install certbot. Or sudo apt-get install certbot

1 Like

Thanks, read the github guide to install manually and set it up , thanks

1 Like

Thanks not yet. But will try the manual today

I have test a modification in this PR
It works in my instances and you could apply it easily

You must remove /etc/letsencrypt/configs/{site}.cfg if it exists because the last line should be standalone-supported-challenges = tls-sni-01

Then a sudo bench setup lets-encrypt {site} is working

2 Likes

To clarify. Yes @jodeq your pull request works properly. Until the fix is in place, do these steps on your local install first and then retry the lets encrypt command.

  1. from the root folder, (one up from frappe-bench)
    nano ~/.bench/bench/config/templates/letsencrypt.cfg

  2. You don’t want the last line. So comment it out and save… To do this you just add a # before the last line. It should look like this:
    # standalone-supported-challenges = tls-sni-01

  3. control + X to exit and Y to save.

  4. Go back to frappe-bench directory and try again with the lets-encrypt command.

This change will need to be undone before you can run a bench update as it changes the source code.

2 Likes

It works like a charm. Thanks

Fixed in bench via

2 Likes
plugins selected: Authenticator standalone, Installer None
    You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
    INFO:bench.utils:sudo systemctl start nginx
    There was a problem trying to setup SSL for your site

I am getting this error. any body know how to fix it