DNS challenge: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Hello,
I am running a manual certbot DNS challenge since a year with zero issues. It asked me to update DNS records and I did it, even if in theory I could automate the process with plugins.

Since a week ago or so, as soon as I launch the command, I am getting:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

I don’t have a web server. I am not using obsolete TLS challenge (lots of similiar questions one year ago were about Certbot abandoning TLS challenge).

I did not change a comma in the command I use to refresh the certificates, but it stopped working.
I tried updating certbot using the PPA but the error still persists.

I am going to attach the log at the end of this post.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kv.fleurworld.com

I ran this command:
certbot certonly --manual --preferred-challenges dns -d kv.fleurworld.com -d kv01.fleurworld.com -d fleurworld.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My web server is (include version):
None, this is a server that only runs its own daemons

The operating system my web server runs on is (include version):
Ubuntu Linux 18.04 LTS

My hosting provider, if applicable, is:
Digital Ocean, manually updating records on Cloudflare

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.27.0

There are other entries with other host names but they end successfully, so I am skipping them.

2020-02-03 01:05:56,631:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/2488473085 HTTP/1.1” 200 458
2020-02-03 01:05:56,632:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Feb 2020 01:05:56 GMT
Content-Type: application/json
Content-Length: 458
Connection: keep-alive
Boulder-Requester: 40745988
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001q9VRhfBESJRFWW_Kvhlcr9rrM30Bwr5WYO2X3x8SIAE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “fleurworld.com”
},
“status”: “valid”,
“expires”: “2020-02-25T22:29:53Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2488473085/aJTgCg”,
“token”: “eV_D8KuwWWDKHZssq7LhryW5ms6AR3h36PARZAmsb58”,
“validationRecord”: [
{
“hostname”: “fleurworld.com”
}
]
}
]
}
2020-02-03 01:05:56,632:DEBUG:acme.client:Storing nonce: 0001q9VRhfBESJRFWW_Kvhlcr9rrM30Bwr5WYO2X3x8SIAE
2020-02-03 01:05:56,633:INFO:certbot.auth_handler:Performing the following challenges:
2020-02-03 01:05:56,633:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
2020-02-03 01:05:56,633:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.27.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 68, in handle_authorizations
self._choose_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 110, in _choose_challenges
combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 409, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 446, in _find_smart_path
_report_no_chall_path(challbs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 485, in _report_no_chall_path
raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Could you please post a full /var/log/letsencrypt/letsencrypt.log (which triggered this error) somewhere like dpaste.de?

I can’t think of a reason that Certbot would behave this way, at least with the information in your post.

I can post that, but it’s all successful domain certs updates. How would that help you?

In Certbot’s log, sometimes the error is not adjacent to the authorization which caused it. In other words, it goes through each authz, and then presents any errors encountered at the very end, rather than showing an error immediately.

For example, in the partial log you posted, the authorization is already fulfilled, so it couldn’t be the cause of the error. (Well, there’s a chance, but it seems unlikely to me).

Here you go: the link is here.

Thanks. This looks like a Certbot bug to me.

In your order, all 3 authorizations are already fulfilled (because you have completed the requisite challenges “recently enough” on the same Let’s Encrypt account). So in reality, Certbot doesn’t need to do anything - it can in theory issue a certificate without doing any domain validation tasks.

Now, to the bug. Certbot creates a new order, as requested by you, and encounters this authorization, which was previously completed using the HTTP challenge.

At some point last year, Let’s Encrypt’s ACME server, Boulder, started deleting unused challenges, so they no longer appear in the server’s response. (e.g. If you completed an authz using the DNS challenge, then HTTP and ALPN become unused).

So, if we click onto that authorization, we see that only the http challenge is available. Notably, dns is missing, because it was deleted as unused.

I believe that Certbot is freaking out because the dns challenge is missing in that server response, even though the authorization is already complete.

I was able to reproduce this using Certbot 0.27 using this invocation:

# First issue a cert using HTTP, so that we get a valid authorization on our account
certbot certonly -d foo.monkas.xyz -a manual --preferred-challenges http
# Then try force renewing, forcing DNS challenge in Certbot
certbot certonly -d foo.monkas.xyz -a manual --preferred-challenges dns --force-renewal 

What Certbot should be doing is checking that the authorization is already valid, and therefore avoid pointlessly crashing.

I think what you should do is just remove the --preferred-challenges flag from your command for now. It will allow you to renew your certificate.

In the meantime, I’m going to check whether this affects the latest version of Certbot and file a bug for it if so.

Thank you for your time!

I did what you way and now this happens:

Performing the following challenges:
http-01 challenge for kv.fleurworld.com
http-01 challenge for kv01.fleurworld.com
dns-01 challenge for fleurworld.com

Create a file containing just this data:

5bRWVdJiB1KAxB4IbQjxim77GIwyXinZdvtnvVhFrms.jaJiXToCPaddVsagXJBYAe0g_2cFzW6DhQXXGWGXy24

And make it available on your web server at this URL:

http://kv.fleurworld.com/.well-known/acme-challenge/5bRWVdJiB1KAxB4IbQjxim77GIwyXinZdvtnvVhFrms

However, I have no web server installed. How do I work around this?
I think there is some way to use a self hosted web server but I fear making a mess here. It’s a production server.

I ignored 2 requests for web and then it asked me to change the usual TXT DNS entry and I did it.
It worked!

But what happens the next time this stuff expires? It worked so well for over a year and now I have to do this weird procedure every time?

I’m 99% sure this is fixed in the Ubuntu PPA.

A related issue was originally reported by @mnordhoff and fixed in https://github.com/certbot/certbot/pull/6551, which made it in Certbot 0.31.0.

I tried reproducing the bug with the latest version from the PPA, but couldn’t get the error to happen.

# dpkg-query -W certbot
certbot 0.31.0-1+ubuntu18.04.1+certbot+1

Your log reports an earlier version:

2020-02-03 01:05:55,199:DEBUG:certbot.main:certbot version: 0.27.0

Thank you, you really saved my day!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.