Thanks for sharing your solution.
I just wanted to point out that the two error message “None of the preferred challenges are supported by the selected plugin” and “The client lacks sufficient authorization” are different and generally arise for different reasons. I would not recommend pursuing the same solution for each of them.
Switching to the webroot authenticator in response to “The client lacks sufficient authorization” is a valid workaround for what appears to be a bug in the way our apache plugin integrates with some Apache configurations. We’re still trying to figure this out so that this workaround wouldn’t be necessary. It is not correct that the apache plugin “does not support http-01 domain validation”; it’s supported http-01 since Certbot 0.21.0, which was released over a year ago! (But indeed, some users find that the http-01 support doesn’t work in their environments, and we’re still trying to determine why this is so.)
If you do want to switch to the webroot authenticator, I would suggest using
--webroot instead of editing
cli.ini. The reason is that putting this in
cli.ini makes it apply to all certificates on the system, including future certificates, which may then make it difficult to debug why an attempt to use a different authenticator for a different certificate fails. For example, users might want to use a DNS-based authenticator if one of their other certificates needs a wildcard. Similarly, setting a single
webroot-path default for the entire system is not ideal when a system is going to support several different certificates, because the webroot path for each certificate should probably be set individually.
I realize that you described your solution as applying to “apache2 hosting a single domain”, so I just want to emphasize the ways that it might not be suitable for other environments.