Challenges not supported: error in certbot 0.31.0

Dear all,

I am trying to do a standalone certificate in Ubunut 18 TLS, I simply installed certbot and then tried

sudo certbot certonly --standalone --preferred-challenges tls-sni -d domain-name.com

However, this failed with the error

certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Since I had certbot 0.27.0 (which was installed simply with apt-get), I ungraded to 0.31.0 ... however, I still get the same error:

2021-03-04 15:00:03,879:INFO:certbot.auth_handler:Performing the following challenges:
2021-03-04 15:00:03,879:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
2021-03-04 15:00:03,879:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 68, in handle_authorizations
    self._choose_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 117, in _choose_challenges
    combinations)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 422, in gen_challenge_path
    return _find_smart_path(challbs, preferences, combinations)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 459, in _find_smart_path
    _report_no_chall_path(challbs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 498, in _report_no_chall_path
    raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

There are several questions with this topic. However, I did not quite find a solution there.

Thanks in advance!

Hi @brauliobarahona

why do you think that should work?

There

https://certbot.eff.org/docs/using.html

is no value tls-sni defined, so the not working result is expected.

Before testing such things: Always read the documentation. Thanks!

Hi @brauliobarahona,

The context around the problem mentioned by @JuergenAuer is that the TLS-SNI validation method was phased out starting in January 2018 because of a security problem (where, in some configurations, one shared hosting customer could pass this challenge for a different shared hosting customer's site on the same server).

So, your attempt to use it suggests that you might be following some pretty old documentation!

1 Like

tls-sni was phased out, simply use certonly to create a certificate without installing it, using the http protocol. For example:

sudo certbot certonly --standalone -d domanin-name.com --non-interactive --agree-tos --email my-email@domain.ch --http-01-port=8080

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.