Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA


#1

Hi

My crontab has the following entry:
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log &;&; sudo service nginx reload

However, doing a dry run gave me the following errors:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for macquarierealestate.com
http-01 challenge for www.macquarierealestate.com
Using the webroot path /data/test/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0029_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0029_csr-certbot.pem
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.net.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.


Processing /etc/letsencrypt/renewal/macquarierealestate.com.conf


Processing /etc/letsencrypt/renewal/swoose.com.au.conf


Processing /etc/letsencrypt/renewal/cfz.com.au.conf


Processing /etc/letsencrypt/renewal/swoose.net.conf

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/swoose.net/fullchain.pem (failure)

I don’t understand why, with certbot-auto enabled, one certificate is OK but the remainder (all on the same webserver), aren’t OK…?

Cheers


How to resolve TLS-SNI deprecation
#2

Hmm, well the one that’s working is using webroot, maybe the others are using the nginx authenticator. But certbot-auto should have updated itself to a version where that won’t matter. Did you disable its self-upgrade functionality somehow? Perhaps in /etc/letsencrypt/cli.ini?


#3

Contents are:
webroot-path = /data/test/www

So, no, didn’t intentionally disable it.

Should I make the authenticator webroot for the other certificates?


#4

Switching the authenticator to webroot should work, but it might be a bit complicated since you’ve explicitly set a webroot in cli.ini for some reason, so unless all your domains use the same webroot, you’ll have to remove that and set the webroot for each site in its own renewal configuration instead.

It would probably be better to get certbot-auto to upgrade itself, if you can, though I’m not sure what else to suggest as that’s supposed to happen automatically :frowning:


#5

Maybe certbot-auto IS upgraded, but there’s some pref_challs set:

grep -Ri pref_challs /etc/letsencrypt/renewal/
certbot-auto --version

#6

I swapped cfz.com.au.conf to webroot and did a dry run and it worked. These are al virtual hosts of the same server, so perhaps that is OK?

The grep found nothing…


#7

Grep it again now after it worked.


#8

Changed all the confs to use webroot and grep still shows nothing, but:

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (success)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (success)
/etc/letsencrypt/live/swoose.net/fullchain.pem (success)

So I assume that it wanted webroot as an authenticator…?


#9

Should I remove the entry in /etc/letsencrypt/cli.ini?

[EDIT]
Removed the entry and then authentication failed with:
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for cfz.com.au:
Choices: [‘Enter a new webroot’]

(You can set this with the --webroot-path flag). Skipping.

Even though there is a webroot_path = /data/test/www, in the conf, so I have put it back in the cli.ini


#10

Webroot is one way to get things to work (workaround).

You shouldn’t need to touch the cli.ini file.


#11

That doesn’t look like a recent version of Certbot. Those two messages got downgraded to a lower log level or removed like last year…

/etc/letsencrypt/renewal/ configuration files using the webroot plugin have a whole [[webroot_map]] section. I don’t think they use webroot_path at all.


#12

So, how do I update it to the latest version, when I check packages I don’t get an option to update certbot…


#13

certbot-auto is supposed to upgrade itself every time you run it, unless you pass certain options. It’s mysterious that it’s out-of-date at all.

What does sudo /etc/letsencrypt/certbot-auto --version show?


#14
/etc/letsencrypt/certbot-auto --version
certbot 0.30.0

#15

Did you run a different Certbot installation for the dry run in your first post?


#16

I don’t think so…

sudo certbot renew --dry-run works

/etc/letsencrypt/certbot-auto --version works

certbot-auto --version sh: 1: certbot-auto: not found …clearly doesn’t


#17

What does “sudo certbot --version” output?


#18

sudo certbot --version certbot 0.10.2


#19

So there are two versions of Certbot installed, and one of them is quite old.

What OS (including version) is this?

What does “sudo which certbot” show? How was it installed?


#20

sudo which certbot /usr/bin/certbot

Short answer is I have no idea how 2 versions are installed, I thought that there was only one…

RaspberryPi Raspbian Linux 9, Linux 4.14.79-v7+ on armv7l