CerTbot Cloudflare “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”

My domain is: muckabout.org

I ran this command: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.sec/cloudflare.ini --dns-cloudflare-propagation-seconds 30 -d *.muckabout.org,muckabout.org

It produced this output: “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”

My web server is (include version): nginx docker

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: private VPS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Could you post the full /var/log/letsencrypt/letsencrypt.log resulting from that command? That’s weird.

You could try this small adjustment to the command, not sure if it’ll help but sometimes things can go wrong with shell globbing:

-d "*.muckabout.org" -d "muckabout.org" --preferred-challenges dns

The other thing that could cause this is if for some reason your Certbot was using the ACME v1 endpoint, which does not support wildcards. You could try add this too:

--server https://acme-v02.api.letsencrypt.org/directory

here: https://pastebin.com/dfB6wKC2

Humm. I think this might have been a bug that was fixed in Certbot 0.31.0: https://github.com/certbot/certbot/issues/5342 .

Because you already fulfilled one of the authorizations using HTTP with your account earlier, it is resulting in an unfortunate scenario where Certbot is bugging out pointlessly on a fulfilled authz that no longer has a DNS challenge attached to it.

If you temporarily rename /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/ to something else and try again, does it succeed? (This would allow Certbot to get completely fresh authorizations).

Edit: this bug probably didn’t used to exist back when 0.28.0 was a “new” version, but later on, Boulder’s behavior was changed to not send irrelevant challenges for already-valid authorizations, and that was also codified in RFC8555. That change probably screwed over Certbot 0.28.0 in this weird edge case where you change authenticators on a single ACME account.

Yes that worked, thankyou for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.