/# certbot -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot version: **0.10.2**
when running certbot command
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):23
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
I have 10 websites and this happens to >8 websites.
As that thread describes, you could use certbot-auto instead of your operating system’s packaged version of Certbot, or you could switch your domains over to using the --webroot method (including -a webroot -i apache if you still want Certbot to install the certificates after obtaining them).
In the meantime, you can install Certbot through certbot-auto which will automatically install the latest version.
it describes how you can install certbot-auto on your system.
Running Certbot as certbot means using the version packaged by your operating system (distribution). This version is not necessarily the most recent version.
Running Certbot as certbot-auto uses a script created by the Certbot developers to run the most currently released version. It is an autoupdater that maintains a copy of Certbot on your system outside of the operating system packages. In that way, you are always running the most recent version whenever you run a certbot-auto command.
Both forms otherwise take the same options and use the same syntax (e.g. certbot-auto renew does the same thing as certbot renew, except that it may use a more recent release of Certbot).
The --apache method (or -a apache or telling Certbot via a menu to use its Apache configurator) is now broken on versions of Certbot prior to 0.21 because it used the TLS-SNI-01 method, which has been completely disabled on the CA side for domains that didn't already have a Let's Encrypt certificate. Before Certbot 0.21, TLS-SNI-01 was the only authentication method supported by --apache or -a apache. If you have a pre-0.21 Certbot version, you can still instead use --webroot or -a webroot to obtain certificates via a different method.
In 0.21 and later, --apache works again because the TLS-SNI-01 implementation has now been supplemented by a new HTTP-01 implementation that is still accepted by the CA.
In both cases, there must not be a firewall rule preventing inbound connections on port 80, which is required by the HTTP-01 authentication method.
You might want to double-check how automated renewal is set up on your system. If you switched from using certbot to certbot-auto, you should make sure that autorenewal scripts running from cron or systemd are also correctly calling certbot-auto (because certbot renew might still be broken, so autorenewal attempts that use certbot renew may still fail to renew your certificates).