Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: chris-test6.simpleviewcerts.com
I ran this command: certbot certonly -c ‘/app/lib/letsencrypt/cli.ini’ -d ‘chris-test6.simpleviewcerts.com’ --cert-name test-certificates-chris-test6-dns01 -m sv-certs@simpleviewinc.com --force-renewal --preferred-challenges dns --manual-auth-hook /app/lib/letsencrypt/auth_dns01.js --manual-cleanup-hook ‘/app/lib/letsencrypt/cleanup_dns01.js’
It produced this output:
2020-08-24 19:30:22,098:DEBUG:certbot.main:certbot version: 0.28.0
2020-08-24 19:30:22,101:DEBUG:certbot.main:Arguments: [’-c’, ‘/app/lib/letsencrypt/cli.ini’, ‘-d’, ‘chris-test6.simpleviewcerts.com’, ‘–cert-name’, ‘test-certificates-chris-test6-dns01’, ‘-m’, ‘sv-certs@simpleviewinc.com’, ‘–force-renewal’, ‘–preferred-challenges’, ‘dns’, ‘–manual-auth-hook’, ‘/app/lib/letsencrypt/auth_dns01.js’, ‘–manual-cleanup-hook’, ‘/app/lib/letsencrypt/cleanup_dns01.js’]
2020-08-24 19:30:22,103:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-24 19:30:22,121:DEBUG:certbot.log:Root logging level set at 20
2020-08-24 19:30:22,122:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-24 19:30:22,123:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2020-08-24 19:30:22,127:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f708a854048>
Prep: True
2020-08-24 19:30:22,128:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f708a854048> and installer None
2020-08-24 19:30:22,129:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-08-24 19:30:22,136:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(contact=(), only_return_existing=None, key=None, agreement=None, terms_of_service_agreed=None, status=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/92466932’, terms_of_service=None, new_authzr_uri=None), c2e07d9894a5fa3a6b96684a742c2418, Meta(creation_host=‘sv-certs-graphql-v1-765c655f79-dd77x’, creation_dt=datetime.datetime(2020, 7, 27, 23, 34, 6, tzinfo=)))>
2020-08-24 19:30:22,139:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-24 19:30:22,150:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-08-24 19:30:22,504:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2020-08-24 19:30:22,505:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:22 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“oY9k_xDsbQY”: “Adding random entries to the directory”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2020-08-24 19:30:22,506:INFO:certbot.main:Obtaining a new certificate
2020-08-24 19:30:22,871:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0017_key-certbot.pem
2020-08-24 19:30:22,876:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0017_csr-certbot.pem
2020-08-24 19:30:22,877:DEBUG:acme.client:Requesting fresh nonce
2020-08-24 19:30:22,878:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-08-24 19:30:24,105:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-08-24 19:30:24,106:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:24 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 00011DhArSK37hm-x3e-KiroZ-Tv_-yY7i6ajUAchBNHMXQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2020-08-24 19:30:24,106:DEBUG:acme.client:Storing nonce: 00011DhArSK37hm-x3e-KiroZ-Tv_-yY7i6ajUAchBNHMXQ
2020-08-24 19:30:24,106:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “chris-test6.simpleviewcerts.com”\n }\n ]\n}’
2020-08-24 19:30:24,109:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“signature”: “b_W4ZlsJ3JzVrHnCmdSj4abeyAn4L_2nVb83h_1xv6zmOvuemj0y6FjGFNrab3TUUWg8dDma-1Jrasc1TBRnr8vV_jxH12Sy4KLbV3X4NUuX6cT7mwTAIQBXCRoLHOCZGauo_YZwl9aEKu4EYR5eA24e_ovo7WBWY5sQvW2r3bU-EpTVitU8P937DOXWJW7zYxEne8aN2TThLyBQAIaIkDD7SScnnkK-PIuRS90NURMIwLD48tbztJHyyYTRObhfKMIuT9tdz7lemhRViZphwPvSfmBKwWSGbqxfelEUm8edjnUeAgkmGUq7EbMEIuQlx96yL-hMC1sgSGvpYS_ipQ”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNocmlzLXRlc3Q2LnNpbXBsZXZpZXdjZXJ0cy5jb20iCiAgICB9CiAgXQp9”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTI0NjY5MzIiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJub25jZSI6ICIwMDAxMURoQXJTSzM3aG0teDNlLUtpcm9aLVR2Xy15WTdpNmFqVUFjaEJOSE1YUSJ9”
}
2020-08-24 19:30:24,665:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 349
2020-08-24 19:30:24,666:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 24 Aug 2020 19:30:24 GMT
Content-Type: application/json
Content-Length: 349
Connection: keep-alive
Boulder-Requester: 92466932
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/92466932/4844399221
Replay-Nonce: 0002MEB6DcnGgqp6ZQbifZZkLNL4F9Dkrx1UmnFn0di-0_E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
“status”: “ready”,
“expires”: “2020-08-31T18:00:23Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “chris-test6.simpleviewcerts.com”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/6745606604”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/92466932/4844399221”
}
2020-08-24 19:30:24,667:DEBUG:acme.client:Storing nonce: 0002MEB6DcnGgqp6ZQbifZZkLNL4F9Dkrx1UmnFn0di-0_E
2020-08-24 19:30:24,667:DEBUG:acme.client:JWS payload:
b’’
2020-08-24 19:30:24,669:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6745606604:
{
“signature”: “uPTOjzHCAas4fwBT3MRtXhTGOBEUfgpvrbgsSuZ4SBkYNzFB-SWiqxYbbjiO2ekAE3aDXRqO5oEaF8HwHGhXUh7xjimc8lk_pjpUS-Sp5KEalE5RWJ6okMZ_uSm20HTTqJhK5N99q6IrTHIVcvCziGOHboZeIAGTvUpldEc-Nj8NudPlYm2gfkm2v_BZL4S3Yf6DKcI_CDvyN24g0TZ4afZIYRU5KmOqTZlSm9KnmWLykGrEvcUFowy4ZVK2xCWee11Jbuq5lQ-jPVe4OFYp7MCpJdXFLxcgnYJqU0nnmjMWEjtHJZecnILhZd4gWitLR1ixiyGNqpNgFBEzG81uGA”,
“payload”: “”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTI0NjY5MzIiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY3NDU2MDY2MDQiLCAibm9uY2UiOiAiMDAwMk1FQjZEY25HZ3FwNlpRYmlmWlprTE5MNEY5RGtyeDFVbW5GbjBkaS0wX0UifQ”
}
2020-08-24 19:30:25,143:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/6745606604 HTTP/1.1” 200 761
2020-08-24 19:30:25,144:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:25 GMT
Content-Type: application/json
Content-Length: 761
Connection: keep-alive
Boulder-Requester: 92466932
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001PptDD2BVgoFIpEQNvm6dZVHJJNEi5MsldnLFFR7-pno
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “chris-test6.simpleviewcerts.com”
},
“status”: “valid”,
“expires”: “2020-09-23T15:15:26Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6745606604/6bYn7g”,
“token”: “uakZx4vfpGhQg-lJ6sM3D1anpr79-YO5ZTy3XA1VmFY”,
“validationRecord”: [
{
“url”: “http://chris-test6.simpleviewcerts.com/.well-known/acme-challenge/uakZx4vfpGhQg-lJ6sM3D1anpr79-YO5ZTy3XA1VmFY”,
“hostname”: “chris-test6.simpleviewcerts.com”,
“port”: “80”,
“addressesResolved”: [
“34.74.254.27”
],
“addressUsed”: “34.74.254.27”
}
]
}
]
}
2020-08-24 19:30:25,144:DEBUG:acme.client:Storing nonce: 0001PptDD2BVgoFIpEQNvm6dZVHJJNEi5MsldnLFFR7-pno
2020-08-24 19:30:25,144:INFO:certbot.auth_handler:Performing the following challenges:
2020-08-24 19:30:25,145:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
2020-08-24 19:30:25,145:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1225, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 392, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 68, in handle_authorizations
self._choose_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 110, in _choose_challenges
combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 415, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 452, in _find_smart_path
_report_no_chall_path(challbs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 491, in _report_no_chall_path
raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
My web server is (include version): N/A
The operating system my web server runs on is (include version): Debian GNU/Linux 9 (stretch)
My hosting provider, if applicable, is: Google Kubernetes Engine
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0
We recently encountered an issue with our automatic cert generation system. We have a platform that allows clients/products to automatically request certs either using http01 or dns01. I believe what we’re facing is what is described in this issue Can't do HTTP-01 challenge after DNS-01 challenge but I’m not sure how to resolve it in our setup. Basically a cert with a name “test-certificates-chris-test6-http01” was requested using http01 for the domain chris-test6.simpleviewcerts.com. Another cert with the name ‘chris-test6-dns01’ was later added for the SAME domain, but that cert was using the dns01 challenge. In this case, these are 2 different cert names for the same domain. Looking at my linked debug output, it looks like it’s still using the http01 challenge. The identifier.type is dns, but the challenges[0].type is http-01. Now, this is called out in the linked issue above, but it doesn’t make sense to me. It’s a different cert name, so just because it happens to share a domain with another cert, doesn’t feel like it should share any renewal/generation information.
We have a cert registry where we allow products/users to specify their desired certs by API, and then it’ll generate it for them. If a user starts a cert as http01 and then later switches it to dns01 (in example if the system scaled beyond a single web-server), it seems like it’s still going to attempt to do an http01 challenge, even though we’re telling it not to. How do we work around this issue? I don’t particularly want to use a different account per cert because we’re going to be managing thousands of certs through this system. I guess I just don’t know why it doesn’t use the specified challenge type, especially when passing --force-renewal.