I started creating multiple certificates with certbot-auto (lastest version) using webroot authenticator. Creation and renewal works fine.
A few weeks ago, we also started to create wildcard certificates using route53 DNS plugin. This also works fine.
All is automated through scripts using a specific certbot.ini file for each challenge (one for webroot certs and one for dns certs)
But now comes the time to renew these wildcard certificates and with our standard renew script, we get the following error :
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
This is normal as renew is configured to use webroot and wildcards need Route53 dns challenge.
If I create a new renew script using the correct ini file (as I do when creating certs), it works.
The problem is that these scripts logically generates errors for certs not using the specified challenge.
Is there any way to tell certbot which challenge to use for each domain in a single script ?
When Certbot issues a certificate, it saves all of the settings in /etc/letsencrypt/renewal/ (or whatever directory you use).
If you later run “certbot renew”, it will do everything correctly.
Can you explain what commands you’re using to create certificates and to renew them?
If you’re trying to renew them with “certbot renew”, try doing it without passing any -c or --config options, or just using a shorter config file that doesn’t force specific plugins or preferred challenges.
I didn’t know that renew was using the authenticator stored in renewal folder.
So my certbot.ini (used to generate and renew certs) was configured with webroot, also for renew.
I justed removed this parameter from the config file and add it directly to the command line for certonly .
No, a single renew script works like a charm with both webroot and route53 challenge
