Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS

I found several references to the above error message, both on this forum and with a general search. However, my set up worked previously, all that I've changed this time is that I'm requesting a wildcard domain. I'm hoping that if I share my set up someone might be able to see the issue.

I have set my DNS to to point to both primary domain and regex domain:

mydomain.com: <my server ip>
*.mydomain.com: <my server ip>

In my repo I have a script init-letsencrypt.sh. Note reference to variable $DOMAINS which are defined in the env of the form DOMAINS=(*.mydomain.com,*.mydomain.com). Here's init-letsencrypt.sh.

#!/bin/bash

# source vars in .env, including domains
. ./.env

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=($DOMAINS)
rsa_key_size=4096
data_path="./data/certbot"
email="$EMAIL" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

And my docker-compose:

version: '3'

services:
  nginx:
    image: nginx:latest
    restart: unless-stopped
    volumes:
      - ./templates:/etc/nginx/templates
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
      - ./entry-scripts/40-reload.sh:/docker-entrypoint.d/40-reload.sh
    ports:
      - "80:80"
      - "443:443"
    env_file: .env
    
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

In the directory on the server, when I run ./init-letsencrypt.sh I get the following output:

./init-letsencrypt.sh
Existing data found for *.mydomain.com,mydomain.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done
Generating a RSA private key
.....................................................................++++
...................++++
writing new private key to '/etc/letsencrypt/live/*.mydomain.com,mydomain.com/privkey.pem'
-----

### Starting nginx ...
Recreating nginx_nginx_1 ... done

### Deleting dummy certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done

### Requesting Let's Encrypt certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.mydomain.com and mydomain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

### Reloading nginx ...
Error response from daemon: Container 5fe4d065053e4011fee12321e9fd156b6c40770fa3c4fadc003098bee9864675b is restarting, wait until the container is running

Since this set up worked for me recently, I'm convinced it's to do with the fact that this time I've requested a wildcard certificate.

I saw references to using a more up to date version of certbot that deals with wildcard domains. However, in my docker-compose I'm pulling from certbot/certbot which presumably defaults to latest.

How can I overcome this error or what further information could I provide in order to help diagnose?

2 Likes

You're using certbots --webroot option, which means that you currently use the HTTP-01 challenge for validation (Let's Encrypt connects to your server via HTTP and checks if you control the server).

This is fine for non-wildcard certificates, however you're now requesting a wildcard certificate. Let's Encrypt requires that wildcard certificates are validated via DNS-01. That's a different authentication mechanism that involves creating DNS TXT records to proof that you control the domain.

To automate the DNS-01 challenge, you must be able to create (+ remove) DNS TXT records on your domains in an automated way, e.g via an API. Then certbot must interact with this API. Certbot has some plugins for some DNS API providers, but you can also write your own scripts. Other ACME clients (e.g acme.sh) may have better support for the DNS-01 challenge than certbot.

3 Likes

Why is this in the script?:

2 Likes

Hi, I borrowed heavily from this repo. I just copied over their init sh script. Honestly not sure why that block is there but I was scared to mess with it

1 Like

It should be removed.
Every time that script is called it deletes the cert in question - essentially forcing a renewal for it.

3 Likes

OK noted, thanks for pointing that out

3 Likes

Because it's a terrible script and people shouldn't be using it. But in more details: the script should only be ran just once and it temporarily places some snake-oil certs in the /etc/letsencrypt/ directories to get the webserver up and running with HTTPS.. Which is unnecessary of course.

It's just bad, bad BAD design on the scripts part.. A think that should be removed from the internet.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.