Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Hello, I am in new on Let’s encrypt, and the cron in charge of cerbot gives error.
I think my cerbot package is maybe out of date, maybe upadtes problems with packports.
Anyway, that is my situation :

My domain is:
www.conservatoirevegetal.com

I ran this command:

root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew

It produced this output:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

My web server is (include version):

Apache 2.4.10

The operating system my web server runs on is (include version):

Debian Jessie 8.11

My hosting provider, if applicable, is:

console.online.net

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I don’t know how to find that …

you can find your certbot version by issuing the command
certbot --version
as stated in the help template :slight_smile:

I guess you are hit by the tls-sni deprecation

I think that in this case you have to issue a new request to letsencrypt and certbot should switch to http-01. If you don’t know how to do that you could post your /etc/letsencrypt/renewal/www.conservatoirevegetal.com.conf and it could be possible to figure out the correct command line from there.
Note: I don’t know if the account is considered confidential data but it’s all right to remove it before posting the file, it’s not used to request a new certificate.
Also it could be a great occasion to add at least the plain URL (not www) on your certificate so that accessing by https://conservatoirevegetal.com works as well - the guy who did setup this for you was not a fervent partisan of excessive effort that’s clear :slight_smile:

Hello Gpatel-fr,

Thanks, I found out and yes it was the switch to http-01 … because of cerbot update (not working on jessie backports).
So my steps was :slight_smile:

Everything is ok.
I need know to understand the cron, and modify.
Thanks for the advice about www.

certbot-auto works just as well with cron, you just have to take care of the path (as always with cron). Just verified: in my cron I set the full path. Something like

0 7 * * * /path/to/certbot-auto renew --noninteractive

I admit that I did not care to add the random sleep - yes I should have done so.

Hello, I have changed the path in the cron, but I do not understand what is the “test” :

root test -x /usr/local/bin/certbot-auto -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot-auto -q renew

So when I run the cron I have errors

Hi @1formanet

please share the output. And remove the -q option, that’s “silent”, so errors aren’t visible.

1 Like
root is not part of the command, it's just the user running the command
-x /usr/local/bin/certbot-auto ==> test if certbot-auto is executable
-a ==> operator AND
- ! -d /run/systemd/system ==> test if systemd is managing the computer

so: the following is executed if certbot is executable and there is no systemd.
Systemd can be used with certbot install procedure to setup a systemd timer that is running certbot instead of cron. If you have uninstalled system certbot, you have to check that the systemd timer has been removed by running

systemctl list-timers

if there is a timer active, it will try to run the old certbot and your crontab will not run.
I guess that is not happening since your cron has errors (if it did not run it would not display errors I guess). Remove the -a ! -d /run/systemd/system anyway.
Something troubling is that you are testing for existence of certbot-auto at a specific path but you are not using it to launch it.
If you add the path for launching certbot-auto, remove the -q option as said by @JuergenAuer

1 Like

Oh great informations, @gpatel-fr and @JuergenAuer I was lost.

So I go to check paths, timers and remove q, and say you the final result

Hello,
So I came back to my cron :slight_smile:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/local/bin/certbot-auto -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot-auto -q renew

First off all I have verified the systemd-timer, and yes it is still available :slight_smile:

NEXT                           LEFT          LAST                           PASSED       UNIT                         ACTIVATES
jeu. 2019-06-20 16:05:01 CEST  1h 39min left mer. 2019-06-19 16:05:01 CEST  22h ago      systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
ven. 2019-06-21 00:00:00 CEST  9h left       jeu. 2019-06-20 12:00:01 CEST  2h 25min ago certbot.timer                certbot.service

2 timers listed.

? So does that mean that systemd-timer is used only for cerbot, and I can remove it without problem for others jobs ?

I have removed -q, and I have the same output

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Attempting to parse the version 0.35.0 renewal configuration file found at /etc/letsencrypt/renewal/admin.conservatoirevegetal.com.conf with version 0.10.2 of Certbot. This might not work.
Attempting to parse the version 0.35.0 renewal configuration file found at /etc/letsencrypt/renewal/pma.conservatoirevegetal.com.conf with version 0.10.2 of Certbot. This might not work.

Thanks:upside_down_face:

That means that you have still 2 different versions of certbot and you are creating certificates with the most recent version and trying to renew with the old (very old !). If you prefer to use certbot-auto that’s your call but remove the certbot installed from packages in this case.
It should remove the crontab entry and the systemd timer. Do NOT apt purge !!!.
Then create a crontab entry yourself and it can be simply
/path/to/certbot/certbot-auto renew

In case you wonder what is /path/to/certbot that’s the place where you did copy certbot-auto

if you want to be nice with letsencrypt just recopy the perl stuff to randomize the process start. You can do that when you are sure renewal works.

Hello @gpatel-fr , thanks for your reply.
The problem is that

root@sd-118150:~# apt-get remove cerbot
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
E: Impossible de trouver le paquet cerbot

I found

certbcertbot/now 0.10.2-1~bpo8+1 all [installé, local]
ot/now 0.10.2-1~bpo8+1 all [installé, local]

dpkg --get-selections | grep certbot

I never used local installation or remove. can I just delete the directory ?

I just don’t understand what you can mean by that. Don’t delete anything unless you know what you are doing.

just run
dpkg --get-selections | grep certbot
and report the results since your previous post about ‘I found’ is followed by something I don’t understand either.

Hello, I run the command
dpkg --get-selections | grep certbot

-> Empty answer

When I run apt-list --installed, I have all my packages, and one is

certbot/now 0.10.2-1~bpo8+1 all [installé, local]

I guess that the ‘installed local’ stuff means that it was installed from a .deb file. The man page is not exactly talkative about it
Don’t mean that it can just removed like that by deleting the files.
Seems strange that you can’t remove it with sudo apt remove, though.

What gives
apt-cache show certbot
and
apt policy certbot

If it was installed from a .deb file, you could also remove it using dpkg.

is not the theory that if you install with apt from a .deb file, it installs dependencies ? if it’s removed with dpkg, will the dependencies not be broken ?