Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is (include version): Apache/2.4.25 (Debian)
The operating system my web server runs on is (include version): Debian GNU/Linux 9.12 (stretch)
My hosting provider, if applicable, is: Google Compute Engine
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0
I'm moving my website to a new server (debian9+apache).
I've installed a certbot certificate for my domain via command:
sudo certbot certonly -d www.theartstory.org --manual --preferred-challenges dns
I've used this command insead of:
sudo certbot --apache
because at that date DNS records were configured to old ip adress.
Now I need to add not-www version to this certificate.
Just ‘force’ the use of the Apache plugin again (but without certonly, because you didn’t use that the first time either, so that suggests to me you’d like the apache plugin to [re]install the certificate too):
theartstory.org
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
@schoen / @bmw Do you have any clue why the apache authenticator would complain about this, while there isn’t any wildcard hostname included? Is it perhaps a bug fixed since certbot v0.28?
If I remember correctly, there was a bug that got inadvertently fixed around 0.31.0, yes. When Let's Encrypt removed unused challenges from valid authorizations, older versions of Certbot would get upset if it reused an authorization that was made using a challenge type not supported by the current plugin. (Obviously, that's wrong, which is why it's called a bug!)
In that case, deleting your certificates and configuration files won't help -- the problem is the authorization. Deleting your account would work around the issue because authorizations are associated with accounts.
(Certbot's renewal configuration files include an account ID, so deleting your account breaks renewal until you fix the files.)
If that's the issue, would you mind waiting a few weeks to update your configuration? When you validate a name, Let's Encrypt remembers it for 30 days, and doesn't force you to validate it again. Once the old authorization expires, the Certbot bug won't be triggered anymore. If you don't mind waiting, it's the simplest way to solve that issue.
Well, you haven't done anything bad. If Debian 9 had a newer version of Certbot, you wouldn't even have any trouble at all.
What's happening (I think) is:
You validated www.theartstory.org using DNS-01 (You issued a certificate on 2020-04-12, so it was probably then.)
After an ACME account has validated a name, Let's Encrypt (normally) allows it to reuse the same validation for 30 days.
Now you're trying to issue a new certificate using the apache plugin, which only supports HTTP-01 validation.
Due to an issue in old versions of Certbot, and a recent change in the Let's Encrypt's API, when you run it again, Certbot thinks, "DNS-01 validation!? But I need to use HTTP-01 validation! Oh no!" and raises an error. (Even though, in fact, Certbot doesn't need to validate the name a second time, and there's no problem at all.)
So the simplest way to solve it is to wait until the authorization expires.
Another relatively simple option would be to use the manual plugin again to get your new certificate -- of course, you'd have to switch to the apache plugin before it expires!
You might consider using certbot-auto to run the most recent version of Certbot just once to create the certificate. (The old version won't run into this problem renewing it 2 monhs from now.)