Can't renew, "the currently selected authenticator does not support any combination of challenges that will satisfy the CA"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gabarit.site

I ran this command: certbot renew --webroot

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for gabarit.site and *.gabarit.site
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Failed to renew certificate gabarit.site with error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

(fails with same error with standalone)

When I try to use manual / DNS it fails also :

certbot renew --manual --preferred-challenges=dns

But with message :
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate gabarit.site with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

My web server is (include version): node v16

The operating system my web server runs on is (include version): Linux 5.11.0-37-generic Ubuntu 20

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

There is some important information about --manual and automatic renewal which you should read here.

If you can avoid using a wildcard certificate, it would be much easier for you to set up automated renewal.

Otherwise you'll just need to manually run at every renewal time:

certbot certonly --manual --preferred-challenges dns -d gabarit.site -d "*.gabarit.site"
4 Likes

Thanks.

I checked all that and decided to remove the wildcard to keep this automated. And now it works.

2 Likes