Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Hi

My crontab has the following entry:
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log &;&; sudo service nginx reload

However, doing a dry run gave me the following errors:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for macquarierealestate.com
http-01 challenge for www.macquarierealestate.com
Using the webroot path /data/test/www for all unmatched domains.
Waiting for verificationā€¦
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0029_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0029_csr-certbot.pem
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā€¦ Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā€¦ Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.net.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā€¦ Skipping.


Processing /etc/letsencrypt/renewal/macquarierealestate.com.conf


Processing /etc/letsencrypt/renewal/swoose.com.au.conf


Processing /etc/letsencrypt/renewal/cfz.com.au.conf


Processing /etc/letsencrypt/renewal/swoose.net.conf

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/swoose.net/fullchain.pem (failure)

I donā€™t understand why, with certbot-auto enabled, one certificate is OK but the remainder (all on the same webserver), arenā€™t OKā€¦?

Cheers

Hmm, well the one thatā€™s working is using webroot, maybe the others are using the nginx authenticator. But certbot-auto should have updated itself to a version where that wonā€™t matter. Did you disable its self-upgrade functionality somehow? Perhaps in /etc/letsencrypt/cli.ini?

Contents are:
webroot-path = /data/test/www

So, no, didn't intentionally disable it.

Should I make the authenticator webroot for the other certificates?

Switching the authenticator to webroot should work, but it might be a bit complicated since youā€™ve explicitly set a webroot in cli.ini for some reason, so unless all your domains use the same webroot, youā€™ll have to remove that and set the webroot for each site in its own renewal configuration instead.

It would probably be better to get certbot-auto to upgrade itself, if you can, though Iā€™m not sure what else to suggest as thatā€™s supposed to happen automatically :frowning:

Maybe certbot-auto IS upgraded, but thereā€™s some pref_challs set:

grep -Ri pref_challs /etc/letsencrypt/renewal/
certbot-auto --version
1 Like

I swapped cfz.com.au.conf to webroot and did a dry run and it worked. These are al virtual hosts of the same server, so perhaps that is OK?

The grep found nothingā€¦

1 Like

Grep it again now after it worked.

Changed all the confs to use webroot and grep still shows nothing, but:

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (success)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (success)
/etc/letsencrypt/live/swoose.net/fullchain.pem (success)

So I assume that it wanted webroot as an authenticator...?

Should I remove the entry in /etc/letsencrypt/cli.ini?

[EDIT]
Removed the entry and then authentication failed with:
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for cfz.com.au:
Choices: [ā€˜Enter a new webrootā€™]

(You can set this with the --webroot-path flag). Skipping.

Even though there is a webroot_path = /data/test/www, in the conf, so I have put it back in the cli.ini

Webroot is one way to get things to work (workaround).

You shouldn't need to touch the cli.ini file.

That doesn't look like a recent version of Certbot. Those two messages got downgraded to a lower log level or removed like last year...

/etc/letsencrypt/renewal/ configuration files using the webroot plugin have a whole [[webroot_map]] section. I don't think they use webroot_path at all.

So, how do I update it to the latest version, when I check packages I donā€™t get an option to update certbotā€¦

certbot-auto is supposed to upgrade itself every time you run it, unless you pass certain options. Itā€™s mysterious that itā€™s out-of-date at all.

What does sudo /etc/letsencrypt/certbot-auto --version show?

/etc/letsencrypt/certbot-auto --version
certbot 0.30.0

Did you run a different Certbot installation for the dry run in your first post?

I donā€™t think soā€¦

sudo certbot renew --dry-run works

/etc/letsencrypt/certbot-auto --version works

certbot-auto --version sh: 1: certbot-auto: not found ā€¦clearly doesnā€™t

What does ā€œsudo certbot --versionā€ output?

sudo certbot --version certbot 0.10.2

So there are two versions of Certbot installed, and one of them is quite old.

What OS (including version) is this?

What does ā€œsudo which certbotā€ show? How was it installed?

sudo which certbot /usr/bin/certbot

Short answer is I have no idea how 2 versions are installed, I thought that there was only oneā€¦

RaspberryPi Raspbian Linux 9, Linux 4.14.79-v7+ on armv7l