Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA, that's it

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: demoflorida.com

I ran this command: certbot --apache

It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My web server is (include version): Debian 8 + backports, it is a virtual machine

The operating system my web server runs on is (include version): CentOS unknown version

My hosting provider, if applicable, is: network x

I can login to a root shell on my machine (yes or no, or I donā€™t know): Yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): none

2

Hi,

Please try to run the certbot again, but this time, use certbot --apache --preferred-challenges http

This error message was generated because the default verification method tls-sni-01 is disabled due to security issues. The prefer challenges override this method.

P.S. you might want to upgrade your certbot.

Thank you

3

Cannot upgrade certbot, no upgrades available in my system: Debian 8 Jessie.Will try your fix.

1 Like
4

Please see

for more detail about this situation.

5

Failed!
oot@asr-2:/etc/apache2/sites-available# certbot --apache --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: 3550nw8.com
2: www.3550nw8.com
3: asflorida.com
4: www.asflorida.com
5: demoflorida.com
6: www.demoflorida.com
7: ladywig.com
8: www.ladywig.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ā€˜cā€™ to cancel):5 6
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

6

Thatā€™s the expected result from running --preferred-challenges http without upgrading Certbot. This is described in more detail in the thread that Iā€™ve just linked to above.

7

root@asr-2:/# wget -N https://dl.eff.org/certbot-auto.asc
--2018-06-04 18:15:24-- https://dl.eff.org/certbot-auto.asc
Resolving dl.eff.org (dl.eff.org)... 151.101.0.201, 151.101.64.201, 151.101.128.201, ...
Connecting to dl.eff.org (dl.eff.org)|151.101.0.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 488 [application/octet-stream]
Saving to: ā€˜certbot-auto.ascā€™

certbot-auto.asc 100%[======================================================>] 488 --.-KB/s in 0s

2018-06-04 18:15:24 (11.2 MB/s) - ā€˜certbot-auto.ascā€™ saved [488/488]

root@asr-2:/# gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: requesting key CD9775F2 from hkp server keys.gnupg.net
gpg: key CD9775F2: "Let's Encrypt Client Team letsencrypt-client@eff.org" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
root@asr-2:/# gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto
gpg: can't open signed data `certbot-auto'
gpg: can't hash datafile: No such file or directory
root@asr-2:/# ./certbot-auto --help all
-bash: ./certbot-auto: No such file or directory
root@asr-2:/# certbot --authenticater standalone --installr apache -d demoflorida.com --pre-hook "service apaches stop --pst-hook "service apache2 start"

^C
root@asr-2:/# certbot --authenticator standalone --installer apache -d demoflorida.com --pre-hook "service apache2 stop --post-hook "service apache2 start"

^C
root@asr-2:/# cd /etc/apache2/sites-available
root@asr-2:/etc/apache2/sites-available# certbot --authenticator standalone --installer apache -d demoflorida.com --pre-hook ā€œservice apache2 stopā€ --post-hook ā€œservice apache2 startā€
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: unrecognized arguments: apache2 stopā€ apache2 startā€
root@asr-2:/etc/apache2/sites-available# certbot --authenticator standalone --installer apache -d demoflorida.com --pre-hook ā€œservice apache stopā€ --post-hook ā€œservice apache startā€
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: unrecognized arguments: apache stopā€ apache startā€
root@asr-2:/etc/apache2/sites-available#

8

You started with the ā€œHintā€ section related to checking the signature on the downloaded certbot-auto script, but you skipped over three commands related to actually downloading certbot-auto, which are above the ā€œHintā€ section.

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
9

root@asr-2:~# wget -N https://dl.eff.org/certbot-auto.asc
ā€“2018-06-05 10:31:48-- https://dl.eff.org/certbot-auto.asc
Resolving dl.eff.org (dl.eff.org)ā€¦ 151.101.0.201, 151.101.64.201, 151.101.128.201, ā€¦
Connecting to dl.eff.org (dl.eff.org)|151.101.0.201|:443ā€¦ connected.
HTTP request sent, awaiting responseā€¦ 200 OK
Length: 488 [application/octet-stream]
Saving to: ā€˜certbot-auto.ascā€™

certbot-auto.asc 100%[===========================>] 488 --.-KB/s in 0s

2018-06-05 10:31:49 (121 MB/s) - ā€˜certbot-auto.ascā€™ saved [488/488]

root@asr-2:~# gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: requesting key CD9775F2 from hkp server keys.gnupg.net
gpg: key CD9775F2: ā€œLetā€™s Encrypt Client Team letsencrypt-client@eff.orgā€ not changed
gpg: Total number processed: 1
gpg: unchanged: 1
root@asr-2:~# gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto
gpg: canā€™t open signed data `certbot-autoā€™
gpg: canā€™t hash datafile: No such file or directory
root@asr-2:~#

This is what is posted in previous post, throws error
.

10

root@asr-2:~# wget https://dl.eff.org/certbot-auto
ā€“2018-06-05 10:35:10-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)ā€¦ 151.101.0.201, 151.101.64.201, 151.101.128.201, ā€¦
Connecting to dl.eff.org (dl.eff.org)|151.101.0.201|:443ā€¦ connected.
HTTP request sent, awaiting responseā€¦ 200 OK
Length: 62854 (61K) [application/octet-stream]
Saving to: ā€˜certbot-autoā€™

certbot-auto 100%[===========================>] 61.38K --.-KB/s in 0.01s

2018-06-05 10:35:10 (6.20 MB/s) - ā€˜certbot-autoā€™ saved [62854/62854]

root@asr-2:~# chmod a+x ./certbot-auto
root@asr-2:~# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

ā€“debug attempt experimental installation
-h, --help print this help
-n, --non-interactive, --noninteractive run without asking for user input
ā€“no-bootstrap do not install OS dependencies
ā€“no-self-upgrade do not download updates
ā€“os-packages-only install OS dependencies and exit
ā€“install-only install certbot, upgrade if needed, and exit
-v, --verbose provide more output
-q, --quiet provide only update/error output;
implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.
root@asr-2:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesnā€™t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run ā€œcertbot certonlyā€ to do so. Youā€™ll need to manually configure your web server to use the resulting certificate.
root@asr-2:~#

11

When you run certbot, youā€™re running your old OS package manager version. Only ./certbot-auto runs the self-updating version that you downloaded. So, you can run, for example, ./certbot-auto --apache to use the new version to perform your original task.

./certbot-auto will never rename itself to certbot, so this distinction will always continue to exist for every Certbot command that you might run on this system. You can see this distinction by running ./certbot-auto --version and certbot --version.

12

root@asr-2:/etc/apache2/sites-available# ./certbot-auto --version

  -bash: ./certbot-auto: No such file or directory

  root@asr-2:/etc/apache2/sites-available#
13

You're in a different directory now. Try "~/certbot-auto" or "/root/certbot-auto".

14

That worked, certbot downloaded required dependencies and installed, only the site does not display right under https so I had to choose option 1 - no redirect.

How can I make my site look good under https?

Thank you,

15

You most likely have a mixed content problem (insecure images, stylesheets, or scripts loaded from an HTTPS page). You can check at https://www.whynopadlock.com/.

16

The site I installed https is demoflorida.com, which displays OK over http, I built it without using https on top of Drupal 7 CMS, donā€™t know what you mean by insecure images, it is not a porn site. I do need to mplement https ,because I need to iframe certain scripts that are delivered via https, can you help with that? I use a theme that uses stylesheets but I need those, does https break stylesheets?
Tested site with your link and only warnings were:1) weserver not forcing https which I know of for reasons expalined above.
The other one 2)You currently have TLSv1 enabled.
This version of TLS is being phased out. This warning wonā€™t break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.
The only way I see to solve this is by moving to the next version of Debian webserver, athough backports are enabled int the Wheezy version I use, my local machine runs on Stretch +plus testing (Buster).

17

If your site is HTTPS then your images and stylesheets need to be loaded using https:// URLs rather than http:// URLs. That is what @schoen meant by ā€œinsecureā€ - http without the ā€˜sā€™ :wink:

With Drupal 7 this is generally controlled by the $base_url setting in settings.php - you probably need to change it from http://demoflorida.com to https://demoflorida.com

1 Like
18

Ok, and I did not select in certbot-auto to modify the server to force https, so should I run it again?
Or
what changes do I need to make in the server configuration?

19

You can use a Redirect directive in your port 80 virtual host. For example

<VirtualHost *:80>
   ServerName demoflorida.com
   Redirect / https://demoflorida.com/
</VirtualHost>

Iā€™d fix the $base_url first thoughā€¦

20

my virtual host also has directive ServerAlias www.demoflorida.com
SHould I leave that as is or modify?
Working at $base_url, problem is that there is an example for the syntax and I just need to uncomment and edit it, but it is part of a paragraph that is commented out altogether and I want to leave it that way, just that line needs to be uncommented and I donā€™t know how to do that.