New cert name, re-using old certs challenge type

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chris-test6.simpleviewcerts.com

I ran this command: certbot certonly -c ‘/app/lib/letsencrypt/cli.ini’ -d ‘chris-test6.simpleviewcerts.com’ --cert-name test-certificates-chris-test6-dns01 -m sv-certs@simpleviewinc.com --force-renewal --preferred-challenges dns --manual-auth-hook /app/lib/letsencrypt/auth_dns01.js --manual-cleanup-hook ‘/app/lib/letsencrypt/cleanup_dns01.js’

It produced this output:

2020-08-24 19:30:22,098:DEBUG:certbot.main:certbot version: 0.28.0
2020-08-24 19:30:22,101:DEBUG:certbot.main:Arguments: [’-c’, ‘/app/lib/letsencrypt/cli.ini’, ‘-d’, ‘chris-test6.simpleviewcerts.com’, ‘–cert-name’, ‘test-certificates-chris-test6-dns01’, ‘-m’, ‘sv-certs@simpleviewinc.com’, ‘–force-renewal’, ‘–preferred-challenges’, ‘dns’, ‘–manual-auth-hook’, ‘/app/lib/letsencrypt/auth_dns01.js’, ‘–manual-cleanup-hook’, ‘/app/lib/letsencrypt/cleanup_dns01.js’]
2020-08-24 19:30:22,103:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-24 19:30:22,121:DEBUG:certbot.log:Root logging level set at 20
2020-08-24 19:30:22,122:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-24 19:30:22,123:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2020-08-24 19:30:22,127:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f708a854048>
Prep: True
2020-08-24 19:30:22,128:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f708a854048> and installer None
2020-08-24 19:30:22,129:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-08-24 19:30:22,136:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(contact=(), only_return_existing=None, key=None, agreement=None, terms_of_service_agreed=None, status=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/92466932’, terms_of_service=None, new_authzr_uri=None), c2e07d9894a5fa3a6b96684a742c2418, Meta(creation_host=‘sv-certs-graphql-v1-765c655f79-dd77x’, creation_dt=datetime.datetime(2020, 7, 27, 23, 34, 6, tzinfo=)))>
2020-08-24 19:30:22,139:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-24 19:30:22,150:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-08-24 19:30:22,504:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2020-08-24 19:30:22,505:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:22 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“oY9k_xDsbQY”: “Adding random entries to the directory”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2020-08-24 19:30:22,506:INFO:certbot.main:Obtaining a new certificate
2020-08-24 19:30:22,871:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0017_key-certbot.pem
2020-08-24 19:30:22,876:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0017_csr-certbot.pem
2020-08-24 19:30:22,877:DEBUG:acme.client:Requesting fresh nonce
2020-08-24 19:30:22,878:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-08-24 19:30:24,105:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-08-24 19:30:24,106:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:24 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 00011DhArSK37hm-x3e-KiroZ-Tv_-yY7i6ajUAchBNHMXQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-08-24 19:30:24,106:DEBUG:acme.client:Storing nonce: 00011DhArSK37hm-x3e-KiroZ-Tv_-yY7i6ajUAchBNHMXQ
2020-08-24 19:30:24,106:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “chris-test6.simpleviewcerts.com”\n }\n ]\n}’
2020-08-24 19:30:24,109:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“signature”: “b_W4ZlsJ3JzVrHnCmdSj4abeyAn4L_2nVb83h_1xv6zmOvuemj0y6FjGFNrab3TUUWg8dDma-1Jrasc1TBRnr8vV_jxH12Sy4KLbV3X4NUuX6cT7mwTAIQBXCRoLHOCZGauo_YZwl9aEKu4EYR5eA24e_ovo7WBWY5sQvW2r3bU-EpTVitU8P937DOXWJW7zYxEne8aN2TThLyBQAIaIkDD7SScnnkK-PIuRS90NURMIwLD48tbztJHyyYTRObhfKMIuT9tdz7lemhRViZphwPvSfmBKwWSGbqxfelEUm8edjnUeAgkmGUq7EbMEIuQlx96yL-hMC1sgSGvpYS_ipQ”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNocmlzLXRlc3Q2LnNpbXBsZXZpZXdjZXJ0cy5jb20iCiAgICB9CiAgXQp9”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTI0NjY5MzIiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJub25jZSI6ICIwMDAxMURoQXJTSzM3aG0teDNlLUtpcm9aLVR2Xy15WTdpNmFqVUFjaEJOSE1YUSJ9”
}
2020-08-24 19:30:24,665:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 349
2020-08-24 19:30:24,666:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 24 Aug 2020 19:30:24 GMT
Content-Type: application/json
Content-Length: 349
Connection: keep-alive
Boulder-Requester: 92466932
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/92466932/4844399221
Replay-Nonce: 0002MEB6DcnGgqp6ZQbifZZkLNL4F9Dkrx1UmnFn0di-0_E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “ready”,
“expires”: “2020-08-31T18:00:23Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “chris-test6.simpleviewcerts.com
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/6745606604
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/92466932/4844399221
}
2020-08-24 19:30:24,667:DEBUG:acme.client:Storing nonce: 0002MEB6DcnGgqp6ZQbifZZkLNL4F9Dkrx1UmnFn0di-0_E
2020-08-24 19:30:24,667:DEBUG:acme.client:JWS payload:
b’’
2020-08-24 19:30:24,669:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6745606604:
{
“signature”: “uPTOjzHCAas4fwBT3MRtXhTGOBEUfgpvrbgsSuZ4SBkYNzFB-SWiqxYbbjiO2ekAE3aDXRqO5oEaF8HwHGhXUh7xjimc8lk_pjpUS-Sp5KEalE5RWJ6okMZ_uSm20HTTqJhK5N99q6IrTHIVcvCziGOHboZeIAGTvUpldEc-Nj8NudPlYm2gfkm2v_BZL4S3Yf6DKcI_CDvyN24g0TZ4afZIYRU5KmOqTZlSm9KnmWLykGrEvcUFowy4ZVK2xCWee11Jbuq5lQ-jPVe4OFYp7MCpJdXFLxcgnYJqU0nnmjMWEjtHJZecnILhZd4gWitLR1ixiyGNqpNgFBEzG81uGA”,
“payload”: “”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTI0NjY5MzIiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY3NDU2MDY2MDQiLCAibm9uY2UiOiAiMDAwMk1FQjZEY25HZ3FwNlpRYmlmWlprTE5MNEY5RGtyeDFVbW5GbjBkaS0wX0UifQ”
}
2020-08-24 19:30:25,143:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/6745606604 HTTP/1.1” 200 761
2020-08-24 19:30:25,144:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Aug 2020 19:30:25 GMT
Content-Type: application/json
Content-Length: 761
Connection: keep-alive
Boulder-Requester: 92466932
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001PptDD2BVgoFIpEQNvm6dZVHJJNEi5MsldnLFFR7-pno
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “chris-test6.simpleviewcerts.com
},
“status”: “valid”,
“expires”: “2020-09-23T15:15:26Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6745606604/6bYn7g”,
“token”: “uakZx4vfpGhQg-lJ6sM3D1anpr79-YO5ZTy3XA1VmFY”,
“validationRecord”: [
{
“url”: “http://chris-test6.simpleviewcerts.com/.well-known/acme-challenge/uakZx4vfpGhQg-lJ6sM3D1anpr79-YO5ZTy3XA1VmFY”,
“hostname”: “chris-test6.simpleviewcerts.com”,
“port”: “80”,
“addressesResolved”: [
“34.74.254.27”
],
“addressUsed”: “34.74.254.27”
}
]
}
]
}
2020-08-24 19:30:25,144:DEBUG:acme.client:Storing nonce: 0001PptDD2BVgoFIpEQNvm6dZVHJJNEi5MsldnLFFR7-pno
2020-08-24 19:30:25,144:INFO:certbot.auth_handler:Performing the following challenges:
2020-08-24 19:30:25,145:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
2020-08-24 19:30:25,145:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1225, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 392, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 68, in handle_authorizations
self._choose_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 110, in _choose_challenges
combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 415, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 452, in _find_smart_path
_report_no_chall_path(challbs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 491, in _report_no_chall_path
raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My web server is (include version): N/A

The operating system my web server runs on is (include version): Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is: Google Kubernetes Engine

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


We recently encountered an issue with our automatic cert generation system. We have a platform that allows clients/products to automatically request certs either using http01 or dns01. I believe what we’re facing is what is described in this issue Can't do HTTP-01 challenge after DNS-01 challenge but I’m not sure how to resolve it in our setup. Basically a cert with a name “test-certificates-chris-test6-http01” was requested using http01 for the domain chris-test6.simpleviewcerts.com. Another cert with the name ‘chris-test6-dns01’ was later added for the SAME domain, but that cert was using the dns01 challenge. In this case, these are 2 different cert names for the same domain. Looking at my linked debug output, it looks like it’s still using the http01 challenge. The identifier.type is dns, but the challenges[0].type is http-01. Now, this is called out in the linked issue above, but it doesn’t make sense to me. It’s a different cert name, so just because it happens to share a domain with another cert, doesn’t feel like it should share any renewal/generation information.

We have a cert registry where we allow products/users to specify their desired certs by API, and then it’ll generate it for them. If a user starts a cert as http01 and then later switches it to dns01 (in example if the system scaled beyond a single web-server), it seems like it’s still going to attempt to do an http01 challenge, even though we’re telling it not to. How do we work around this issue? I don’t particularly want to use a different account per cert because we’re going to be managing thousands of certs through this system. I guess I just don’t know why it doesn’t use the specified challenge type, especially when passing --force-renewal.

That’s quite an old version of certbot. Perhaps this is a bug which has been fixed a long time ago. Please upgrade certbot and try again.

Interesting… we were installing it via a simple apt-get install certbot on a Node:12 box, which runs Debian Stretch. It turns out that’s the latest version in Debian Stretch. I tried updating to node:12-buster and that repo only had 0.31.0. When I switched my installation to be based off certbot-auto, I was able to get it to install 1.7.0 and the problem went away (I think, our QA engineers are putting it through the paces).

Is it expected that the official install path for Debian Buster and Debian Stretch is so old? I’m not a big fan of certbot-auto because I like to specifically control dependency versions, and would prefer to manually install a specific version of certbot, but near as I can find the only way of doing that is by using the Docker containers, but that introduces a whole host of additional tech complexities in a Kubernetes environment. I will respond in a few days depending on the results of QA to close this this issue.

I believe this was fixed by https://github.com/certbot/certbot/pull/6551, which is present in Certbot 0.31.0 and newer.

If we look at the Debian Stretch patches (https://sources.debian.org/patches/python-certbot/), it doesn’t seem to have been backported. Which is fair enough, it’s a fairly obscure issue and not exactly a critical.

That’s the way the Debian stable release always has been, pretty much.

There’s always installing Certbot into a virtualenv using pip. It’s not a supported installation method, but it will do exactly that. No automatic upgrades or anything.

Still, I would stick to whatever is in repo and instead try to avoid this issue.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.