Create new certificate error


#1

Hello,

This command used to work, but now I get an error

root@ns377095:/etc/apache2/sites-available# certbot --apache -d wodomus.com,www.wodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Is there a new way to do it?

Thank you


#2

Yes. See this post:


#3

Yes, saw that already thanks but not clear to me what to do…


#4

I need to install certbot-auto and run this?

./certbot-auto --help


#5

Do I have to run ./certbot-auto

It wants to install all this

0 to upgrade, 34 to newly install, 0 to remove and 3 not to upgrade.
Need to get 56.6 MB of archives.
After this operation, 148 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Is that correct?


#6

You don’t need to run certbot-auto, or at least I don’t see any evidence of that. However, if you did, that’s the normal bootstrap install process, yes.

You need to follow the parts of that post instructing you to use an alternate authenticator plugin. Apache, in most available versions of Certbot, still uses the defunct tls-sni-01 challenge type. You should use -i apache -a webroot --webroot-path /path/to/html/root


#7

It worked, thanks.

But now the renew does not seem to work when using this command

certbot renew --dry-run

How to make the renew work?


#8

Doesn’t work? What happens?


#9

For the new certificate I have just created I don’t get an error but for other certificates I have on the same server I get this error when I run: certbot renew --dry-run

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (DOMAIN.com) from /etc/letsencrypt/renewal/DOMAIN.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

I changed my domains by DOMAIN as it is the same error message for all of them.


#10

When you run “certbot renew --dry-run”, is “certbotcertbot-auto, or the older Certbot install?


#11

Sorry but I don’t get your question.


#12

Are you using certbot-auto downloaded from EFF’s web site, or certbot installed from an operating system package?


#13

I use certbot on Ubuntu and used this command a couple of months ago

add-apt-repository ppa:certbot/certbot

How to make sure the renew will work?


#14

@joohoi, do you know if the new release with HTTP-01 support in the Apache module has reached the PPA yet?


#15

@fernandoch, as described in the other thread, Let’s Encrypt has discontinued support for TLS-SNI-01 authentication (which was an authentication method that used port 443 to prove your control of a domain name). There is an ongoing process to update Certbot and other software to better support the other authentication methods.

In this case I think you’re encountering a weird case which a few other people have encountered, which is that the means by which Let’s Encrypt implemented the change has made --dry-run much less realistic than before. This is because the main server still exceptionally allowed people to use the TLS-SNI-01 method for renewals only, but the staging (test) server used by --dry-run typically does not allow it at all. Therefore, --dry-run tests can show failed related to TLS-SNI-01 that do not necessarily correspond to failures when performing the actual renewal. It may be valid to run the ordinary certbot renew, because an exception has been made that can allow TLS-SNI-01 in this case.

Seeing this error also commonly means that your Certbot hasn’t yet been updated to a version that will refrain from trying to use the TLS-SNI-01 method. Such a version was released last week, hence my question to @joohoi about whether it’s available in the PPA yet.


#16

Thanks.

Do you know how to update the PPA version?


#17

I don’t think the Ubuntu PPA is yet updated to version 0.21. The issue tracking this exact process can be found in GitHub issue: https://github.com/certbot/certbot/issues/5447


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.