Failed to renew certificate: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Dear community,

My domain is: suslikov.ru

I ran this command: certbot renew --debug --cert-name suslikov.ru

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/suslikov.ru.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Running pre-hook command: systemctl stop nginx
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (suslikov.ru) from /etc/letsencrypt/renewal/suslikov.ru.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/suslikov.ru/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/suslikov.ru/fullchain.pem (failure)


Running post-hook command: systemctl start nginx
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==1.5.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1255, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 473, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
Please see the logfiles in /var/log/letsencrypt for more details.

Can you please suggest?

You cannot issue or renew wildcard certificates using the --nginx authenticator. The nginx authenticator only supports the HTTP challenge.

For any certificate which includes wildcard domains, you must use the DNS challenge (https://letsencrypt.org/docs/challenge-types/).

If you do not really need a wildcard, consider just listing each of your domains, as it will make your life much simpler.

Otherwise, you will need to find a way to use the DNS challenge. Certbot does not support reg.ru, so it does not support automatically renewing certificates with wildcard domains that have their DNS hosted with reg.ru. You would have to do it manually, i.e.

certbot renew --manual --preferred-challenges dns

There are other ACME clients available that may be able to support wildcards and automated renewal workflow with reg.ru. acme.sh is one: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#81-use-regru-api

1 Like

Thank you for your quick reply!
Yes, I’ve removed the wildcard from the cert settings and everything went fine.

P.S. I wish the command line tool could make it more obvious by putting a warning about the wildcard domains and that they can be renewed only via DNS challenge - this would save me a lot of time for discovering the problem.

Yes, I suppose this text is pretty inscrutable:

Just to clarify how you ended up in this situation ... did you originally issue this wildcard certificate using --manual and then try to change to the HTTP challenge later?

I’ve run the command: certbot certonly --cert-name suslikov.ru -d suslikov.ru to remove wildcard URLs.
It updated the settings and issued a new certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.