Good day! I'm trying to get a certificate automatically with the command: "certbot certonly --nginx --email admin@mydomain.com -d * .mydomain.com" and certbot gives the error "Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS."
What is the problem?
P.S. GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns Is this the only solution available to automate auto-update?
Hi,
In order to obtain Let's Encrypt wildcard certificate, you must use DNS-01 authentication. Thus, please use either an DNS API (with some acme clients) or manually update DNS with a validation hook.
P.S. You are not limited to only use certbot. If you find some other acme clients trustworthy and useful (e.g. compatible with your DNS provider), you can use them as well.
The fact of the matter is that I would like to automate the task. Have you had any examples of using certbot in a similar situation? would be very grateful for examples.
Without your domain name, I actually couldn't provide more accurate information...
The nginx authenticator plugin (used due to the --nginx option) doesn't support the dns-01 challenge, see the plugin overview in the certbot documentation.
That depends on your situation. If you are using a DNS provider which supports one of the DNS plugins available for certbot (see the plugin table linked above), you most likely won't be needing acme-dns and its corresponding certbot plugin.
1 Like
You can use any DNS plugin to automate the DNS-01 challenge with Certbot.
Setting up acme-dns and using the acme-dns plugin(s) [there are 2] is STRONGLY recommended, because that is the most secure option currently available.
Certbot ships with several plugins that will directly communicate with several DNS providers. You can download others, or use "lexicon" which can control dozens of DNS providers.
The dangers of these approaches though, is your DNS-API credentials must be saved on your server(s) -- and most DNS-API providers do not have fine-grained security settings, so your entire DNS and possibly domain/account registration is vulnerable if your server is hacked.
The acme-dns approach delegates the "acme-challege", and only the acme challenge, to an API driven DNS system that you control. If your server and credentials are compromised, the impact is limited by those credentials only being able to control the acme-dns challenge.
This link explains it more:
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.