Authenticator does not support any combination of challenges that will satisfy the CA

Help
1

My domain is: phill030.de

I ran this command: certbot --nginx -d *.phill030.de

It produced this output:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): Linux VPS

The operating system my web server runs on is (include version): (Ubuntu 22.04)

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

Certbot Version: certbot 2.7.2

2

Hi @Phill030, and welcome to the LE community forum :slight_smile:

Wildcard certs require DNS-01 authentication.
[you can't use --nginx as the authenticator for wildcard certs]
[--nginx may work if you used names like: -d phill030.de OR -d www.phill030.de OR both.]

2 Likes
3

So I need to request a certificate for each subdomain?

4

If you can't use DNS-01 authentication, then you can't get cert that contains a wildcard entry.
You can get a cert that contains up to 100 entries.
So, you could do something like:
certbot --nginx -d phill030.de -d www.phill030.de -d blog.phill030.de -d smtp.phill030.de etc.
So long as the names point to the IP of that same system, it can process all those names and put them all on one cert.

2 Likes
6

Is your [HTTP] site operational?
If not, you should get that going first.
Using an HTTP site to get a cert is the easiest method.

But maybe I should ask: What will the cert be for?
Because if it is NOT for HTTPS, then you really don't need to spin up an HTTP server [just to process the ACME challenge requests].

3 Likes
7

The cert is for HTTPS

2 Likes
8

OK, then starting with an HTTP site makes sense.
You can then use that to redirect everything [else] to HTTPS.

2 Likes
9

Do you actually need a wildcard certificate?

1 Like
10

Not necessarily

1 Like
11

Then I recommend to forget about a wildcard certificate and just enter the required hostnames on the command line, either as a comma separated value to one -d option or multiple -d options with one hostname per option. E.g.:

certbot --nginx -d phill030.de -d www.phill030.de
12

@Osiris, last I looked, www.phill030.de has no IP.
phill030.de does have an IP.
But it returns:

curl -Ii phill030.de
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 20 Oct 2023 13:36:52 GMT
Content-Type: video/quicktime     <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Content-Length: 909028
Connection: keep-alive

curl phill030.de
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
1 Like
13

Well, it was just an example. :slight_smile:

It's offering TikToks :thinking: Random choice out of a handful of videos.

1 Like
14

Thank you guys :+1:

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.