root@ns377095:/etc/apache2/sites-available# certbot --apache -d wodomus.com,www.wodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
0 to upgrade, 34 to newly install, 0 to remove and 3 not to upgrade.
Need to get 56.6 MB of archives.
After this operation, 148 MB of additional disk space will be used.
Do you want to continue? [Y/n]
You don’t need to run certbot-auto, or at least I don’t see any evidence of that. However, if you did, that’s the normal bootstrap install process, yes.
You need to follow the parts of that post instructing you to use an alternate authenticator plugin. Apache, in most available versions of Certbot, still uses the defunct tls-sni-01 challenge type. You should use -i apache -a webroot --webroot-path /path/to/html/root
For the new certificate I have just created I don’t get an error but for other certificates I have on the same server I get this error when I run: certbot renew --dry-run
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (DOMAIN.com) from /etc/letsencrypt/renewal/DOMAIN.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
I changed my domains by DOMAIN as it is the same error message for all of them.
@fernandoch, as described in the other thread, Let’s Encrypt has discontinued support for TLS-SNI-01 authentication (which was an authentication method that used port 443 to prove your control of a domain name). There is an ongoing process to update Certbot and other software to better support the other authentication methods.
In this case I think you’re encountering a weird case which a few other people have encountered, which is that the means by which Let’s Encrypt implemented the change has made --dry-run much less realistic than before. This is because the main server still exceptionally allowed people to use the TLS-SNI-01 method for renewals only, but the staging (test) server used by --dry-run typically does not allow it at all. Therefore, --dry-run tests can show failed related to TLS-SNI-01 that do not necessarily correspond to failures when performing the actual renewal. It may be valid to run the ordinary certbot renew, because an exception has been made that can allow TLS-SNI-01 in this case.
Seeing this error also commonly means that your Certbot hasn’t yet been updated to a version that will refrain from trying to use the TLS-SNI-01 method. Such a version was released last week, hence my question to @joohoi about whether it’s available in the PPA yet.