Error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA


#1

My server is:
Apache 2.4 / debian 8

/# certbot -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot version: **0.10.2**

when running certbot command

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):23
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

I have 10 websites and this happens to >8 websites.


#2

Hi @yarek,

Please see


#3

Thanks !
Any idea on how to upgrade it ?
It looks like I still have version 0.10 !


#4

As that thread describes, you could use certbot-auto instead of your operating system’s packaged version of Certbot, or you could switch your domains over to using the --webroot method (including -a webroot -i apache if you still want Certbot to install the certificates after obtaining them).


#5

Thanks again

I read and re-read that post.
I don’t see any instructions to install certbot-auto on apache there.

BTW, what is the difference between certbot and certbot-auto ?


#6

If you follow the link in the sentence

In the meantime, you can install Certbot through certbot-auto which will automatically install the latest version.

it describes how you can install certbot-auto on your system.

Running Certbot as certbot means using the version packaged by your operating system (distribution). This version is not necessarily the most recent version.

Running Certbot as certbot-auto uses a script created by the Certbot developers to run the most currently released version. It is an autoupdater that maintains a copy of Certbot on your system outside of the operating system packages. In that way, you are always running the most recent version whenever you run a certbot-auto command.

Both forms otherwise take the same options and use the same syntax (e.g. certbot-auto renew does the same thing as certbot renew, except that it may use a more recent release of Certbot).

The --apache method (or -a apache or telling Certbot via a menu to use its Apache configurator) is now broken on versions of Certbot prior to 0.21 because it used the TLS-SNI-01 method, which has been completely disabled on the CA side for domains that didn’t already have a Let’s Encrypt certificate. Before Certbot 0.21, TLS-SNI-01 was the only authentication method supported by --apache or -a apache. If you have a pre-0.21 Certbot version, you can still instead use --webroot or -a webroot to obtain certificates via a different method.

In 0.21 and later, --apache works again because the TLS-SNI-01 implementation has now been supplemented by a new HTTP-01 implementation that is still accepted by the CA.

In both cases, there must not be a firewall rule preventing inbound connections on port 80, which is required by the HTTP-01 authentication method.


#7

GREAT !
Thanks for your help
100% working now !


#8

Great!

You might want to double-check how automated renewal is set up on your system. If you switched from using certbot to certbot-auto, you should make sure that autorenewal scripts running from cron or systemd are also correctly calling certbot-auto (because certbot renew might still be broken, so autorenewal attempts that use certbot renew may still fail to renew your certificates).


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.