The documentation does have a table of which plugins support which challenge types.
Now that TLS-SNI-01 is being phased out, it’s actually pretty simple.
There is documentation of the command line options organized by plugin – you can use “
certbot -h all” to get everything, or get the options for only a specific plugin with e.g. “
certbot -h apache”. The same help information is also included further down the User Guide page.
Edit: I mistook the error message you quoted for a different one, “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”.
I think your error message means that you specified a
--preferred-challenges option and plugin that aren’t compatible with each other.
The below part of this post isn’t really relevant, but I’m preserving it for posterity, or something.
The “None of the preferred challenges are supported by the selected plugin. Skipping.” error usually happens for one of two reasons:
Let’s Encrypt requires DNS-01 validation for wildcards. If you try to include a wildcard using one of the web server plugins, you’ll get that error.
In that case, you need to switch to a DNS plugin, or list out all of your subdomains without using any wildcards.
In older versions of Certbot, the Apache and Nginx plugins only support TLS-SNI-01 validation. In newer versions, they support both HTTP-01 and TLS-SNI-01. When Let’s Encrypt disables TLS-SNI-01 and you try to use a plugin that supports nothing else, you get that error.
In that case, the best thing to do is to upgrade Certbot if you can, but the other option is to switch to a different plugin. (Or a different ACME client!)