Error: "Client with the currently selected authenticator does not support..."

My domain is:
multiple domains

I ran this command:
certbot certonly --apache --preferred-challenges http -d ‘.domain1.com’,domain1.com,’.domain2.com’,domain2.com,’*.domain3.com’,domain3.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version):
Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version):
Debian 10 (Buster)

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site:
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I have serveral (unrelated) domains running as virtual hosts on the same IP address. I want to issue a single multi-domain wildcard certificate for all. But I get above error when I issue the above command.

Help, please?

You’re trying to get a certificate containing a wildcard hostname. Let’s Encrypt currently only supports wildcard certificates through the dns-01 challenge, not any other challenge, including the http challenge you’ve specified.

This is also noted in the FAQ of the Let’s Encrypt documentation: https://letsencrypt.org/docs/faq/

When I specify the dns challenge:

certbot certonly --apache --preferred-challenges dns -d '*.domain1.com',domain1.com,'*.domain2.com',domain2.com,'*.domain3.com',domain3.com

I still get an error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

Hi @Zippy1970

–apache doesn’t support dns validation. Select a working dns authenticator:

Nope! In Certbot jargon, --apache is an authenticator and --preferred-challenges dns is a challenge type. What’s more, the --apache authenticator does not support the dns challenge type at all—there is no compatibility between them.

By policy, Let’s Encrypt requires the DNS challenge method for wildcard certificates, but not for non-wildcard certificates. However, the Apache authenticator in Certbot works by reconfiguring your local Apache server. Since the Apache server doesn’t control or serve DNS records at all, there’s no way that configuring an Apache server could change the DNS records, so there’s no way for Certbot code that works by modifying Apache configurations can complete this challenge method as expected by the certificate authority for wildcard certificates.

1 Like

Ok, I think I’m starting to understand how this works. I need to use one of the DNS plugins in order to get wildcard certificates. All domains are registered at GoDaddy. Am I correct to understand that none of the DNS plugins are for GoDaddy and that I should do manual DNS verification?

Thank you for your patience. :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.