Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Hello,

I'm trying to setup certbot on a newly installed server.
I looked at other articles related to this error but I was not able to figure it out. Any guidance would be appreciated.

My domain is: *.rlqc.net

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.rlqc.net
Requesting a certificate for *.rlqc.net
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.51

The operating system my web server runs on is (include version): OpenSUSE Leap 15.4

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version || /path/to/certbot-auto --version
certbot 2.4.0

Following the other posts about this:

I ran:
sudo sh -c "sed -i.bak -e 's/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g' /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak"

Which gave the output:
sed: can't read /etc/letsencrypt/renewal/*: No such file or directory

I then ran:
sudo certbot renew --dry-run

Which produced:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No simulated renewals were attempted.


for wildcard certificate you are required to use DNS-01 challenge, which put specific TXT record on _acme-challenge subdomain. most people use this challenge use API to automate it.
can you not use wildcard and set each subdomains separately

4 Likes

You need a DNS plugin if you want to obtain a wildcard certificate with Certbot.

certbot-dns-godaddy and certbot-dns-multi both support getting wildcard certificates via GoDaddy, which is where your domain seems to have its DNS hosted.

As orangepizza mentions, the easiest thing to do is not to use wildcard certificates.

6 Likes

@_az Maybe

should be changed to add a link to a page about this issue. Some existing possibilities could be

https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

...

There is also

which is usually helpful but maybe not in cases where a more specific tip could result from the context.

It's just unfortunate that there are probably 100 or more forum topics with this exact title

https://community.letsencrypt.org/search?q=%22client%20with%20the%20currently%20selected%20authenticator%22

and typically exactly the same content! (i.e. this error message and people having followed the existing Certbot output suggestion to ask on the forum about it)

I remember that @erica and I debated how to handle advice-in-error-conditions in Certbot a few years ago, and I think we eventually had a plan about web pages with more detailed explanations of specific errors (and having Certbot emit links to those pages), but I don't remember exactly and I guess we didn't do it. But the DNS plugins + wildcard error could be a great candidate for something like that.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.