Feature matrix?


Hi guys, thank you for the work you put in to the Certbot product, as well as the efforts you spend helping those of us using it!! :+1:

I’m trying to transition our current Certbot installation, & I’ve received the following error:

None of the preferred challenges are supported by the selected plugin. Skipping.

I’ll work through that issue (and possibly make a post in a different forum) today, but it gave me an idea - IMHO, it would be really nice if there was a matrix/table available that would (essentially) tell us “OK, you can use this flag with this plugin, but it’s not supported with this other one.”

Given the number of plugins & potential command switches, it seems likely that this wouldn’t be a trivial task - but I think that it could provide definite value for Certbot users.

Thank you again.


The documentation does have a table of which plugins support which challenge types.

Now that TLS-SNI-01 is being phased out, it’s actually pretty simple.

There is documentation of the command line options organized by plugin – you can use “certbot -h all” to get everything, or get the options for only a specific plugin with e.g. “certbot -h apache”. The same help information is also included further down the User Guide page.

Edit: I mistook the error message you quoted for a different one, “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA”.

I think your error message means that you specified a --preferred-challenges option and plugin that aren’t compatible with each other.

The below part of this post isn’t really relevant, but I’m preserving it for posterity, or something.

The “None of the preferred challenges are supported by the selected plugin. Skipping.” error usually happens for one of two reasons:

  • Let’s Encrypt requires DNS-01 validation for wildcards. If you try to include a wildcard using one of the web server plugins, you’ll get that error.

    In that case, you need to switch to a DNS plugin, or list out all of your subdomains without using any wildcards.

  • In older versions of Certbot, the Apache and Nginx plugins only support TLS-SNI-01 validation. In newer versions, they support both HTTP-01 and TLS-SNI-01. When Let’s Encrypt disables TLS-SNI-01 and you try to use a plugin that supports nothing else, you get that error.

    In that case, the best thing to do is to upgrade Certbot if you can, but the other option is to switch to a different plugin. (Or a different ACME client!)