Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Hello, I have changed the path in the cron, but I do not understand what is the “test” :

root test -x /usr/local/bin/certbot-auto -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot-auto -q renew

So when I run the cron I have errors

Hi @1formanet

please share the output. And remove the -q option, that's "silent", so errors aren't visible.

1 Like
root is not part of the command, it's just the user running the command
-x /usr/local/bin/certbot-auto ==> test if certbot-auto is executable
-a ==> operator AND
- ! -d /run/systemd/system ==> test if systemd is managing the computer

so: the following is executed if certbot is executable and there is no systemd.
Systemd can be used with certbot install procedure to setup a systemd timer that is running certbot instead of cron. If you have uninstalled system certbot, you have to check that the systemd timer has been removed by running

systemctl list-timers

if there is a timer active, it will try to run the old certbot and your crontab will not run.
I guess that is not happening since your cron has errors (if it did not run it would not display errors I guess). Remove the -a ! -d /run/systemd/system anyway.
Something troubling is that you are testing for existence of certbot-auto at a specific path but you are not using it to launch it.
If you add the path for launching certbot-auto, remove the -q option as said by @JuergenAuer

1 Like

Oh great informations, @gpatel-fr and @JuergenAuer I was lost.

So I go to check paths, timers and remove q, and say you the final result

So I came back to my cron :slight_smile:


0 */12 * * * root test -x /usr/local/bin/certbot-auto -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot-auto -q renew

First off all I have verified the systemd-timer, and yes it is still available :slight_smile:

NEXT                           LEFT          LAST                           PASSED       UNIT                         ACTIVATES
jeu. 2019-06-20 16:05:01 CEST  1h 39min left mer. 2019-06-19 16:05:01 CEST  22h ago      systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
ven. 2019-06-21 00:00:00 CEST  9h left       jeu. 2019-06-20 12:00:01 CEST  2h 25min ago certbot.timer                certbot.service

2 timers listed.

? So does that mean that systemd-timer is used only for cerbot, and I can remove it without problem for others jobs ?

I have removed -q, and I have the same output

Starting new HTTPS connection (1):
Attempting to parse the version 0.35.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.10.2 of Certbot. This might not work.
Attempting to parse the version 0.35.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.10.2 of Certbot. This might not work.


That means that you have still 2 different versions of certbot and you are creating certificates with the most recent version and trying to renew with the old (very old !). If you prefer to use certbot-auto that’s your call but remove the certbot installed from packages in this case.
It should remove the crontab entry and the systemd timer. Do NOT apt purge !!!.
Then create a crontab entry yourself and it can be simply
/path/to/certbot/certbot-auto renew

In case you wonder what is /path/to/certbot that’s the place where you did copy certbot-auto

if you want to be nice with letsencrypt just recopy the perl stuff to randomize the process start. You can do that when you are sure renewal works.

Hello @gpatel-fr , thanks for your reply.
The problem is that

root@sd-118150:~# apt-get remove cerbot
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
E: Impossible de trouver le paquet cerbot

I found

certbcertbot/now 0.10.2-1~bpo8+1 all [installé, local]
ot/now 0.10.2-1~bpo8+1 all [installé, local]

dpkg --get-selections | grep certbot

I never used local installation or remove. can I just delete the directory ?

I just don’t understand what you can mean by that. Don’t delete anything unless you know what you are doing.

just run
dpkg --get-selections | grep certbot
and report the results since your previous post about ‘I found’ is followed by something I don’t understand either.

Hello, I run the command
dpkg --get-selections | grep certbot

-> Empty answer

When I run apt-list --installed, I have all my packages, and one is

certbot/now 0.10.2-1~bpo8+1 all [installé, local]

I guess that the ‘installed local’ stuff means that it was installed from a .deb file. The man page is not exactly talkative about it
Don’t mean that it can just removed like that by deleting the files.
Seems strange that you can’t remove it with sudo apt remove, though.

What gives
apt-cache show certbot
apt policy certbot

If it was installed from a .deb file, you could also remove it using dpkg.

is not the theory that if you install with apt from a .deb file, it installs dependencies ? if it’s removed with dpkg, will the dependencies not be broken ?

So result of first command

root@sd-118150:~# apt-cache show certbot
Package: certbot
Status: install ok installed
Priority: extra
Section: web
Installed-Size: 79
Maintainer: Debian Let's Encrypt <>
Architecture: all
Source: python-certbot
Version: 0.10.2-1~bpo8+1
Replaces: letsencrypt
Provides: letsencrypt
Depends: python-certbot (= 0.10.2-1~bpo8+1), init-system-helpers (>= 1.18~), pyt                                                                                                                                                                                                                                             hon, python:any (>= 2.7~)
Suggests: python-certbot-apache, python-certbot-doc
Breaks: letsencrypt (<= 0.6.0)
 /etc/cron.d/certbot 88d0bd291b44222e55a073ae3e4cdba3
Description: automatically configure HTTPS using Let's Encrypt
 The objective of Certbot, Let's Encrypt, and the ACME (Automated
 Certificate Management Environment) protocol is to make it possible
 to set up an HTTPS server and have it automatically obtain a
 browser-trusted certificate, without any human intervention. This is
 accomplished by running a certificate management agent on the web
 This agent is used to:
   - Automatically prove to the Let's Encrypt CA that you control the website
   - Obtain a browser-trusted certificate and set it up on your web server
   - Keep track of when your certificate is going to expire, and renew it
   - Help you revoke the certificate if that ever becomes necessary.
 This package contains the main application, including the standalone
 and the manual authenticators.
Description-md5: deb7e404ce1b150b59379c3f9a73ac1a

2nd one

root@sd-118150:~# apt policy certbot
E: L'opération policy n'est pas valable


oh well, it was probably apt-cache policy certbot

I’m beginning to think that the only way is indeed to dpkg -r certbot and python-certbot if apt refuse to do it.
All this stuff is a bit old since certbot is not packaged for jessie since a looong time (2 years?). Also possibly your local apt database is not in a good state since jessie-backports is now dead.

Hello @gpatel-fr, thanks for your reply.
So I will try dpkg -r certbot and python-certbot. I willbe in holidays a few days, so I prefer to test it when I come back. I will let you know.
An other confusion for me is that the cron name is "cerbot ", so cerbot+space. Could it be the explanation ? … Have a nice day

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.