New domain - challenges on pending (dns-01 and http-01) forever

Is there any issues with the validation servers?

i can’t issue any certificate…

I am using Ubuntu 14.04 with certbot version 0.21.1, options “certonly --standalone”

Initially I get the “The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.” error, then I get the “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.” error.

I checked the github issues but the solution there did not worked for me.

Any help?

Hi @mauro,

Are you issuing a completely new certificate on a machine that’s never had one before, or trying to renew an existing certificate?

Your topic title refers to a new certificate and challenges that continue pending, but that doesn’t seem to match the error that you saw from Certbot.

Hi Schoen,

it is a new certificate for a new domain on a machine that has several other domains that already were issued by letsencrypt - and are renewed constantly.

Thanks,

Mauro

OK, could you please give us the exact command line that you ran and the exact output from Certbot that resulted from it?

./certbot-auto --version

The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
certbot 0.21.1

./certbot-auto certonly --standalone
…
No installer, picking names manually
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): labs.mwapp.com.br
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
…
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 722
Boulder-Requester: 28621232
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
…
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “labs.mwapp.com.br”
},
“status”: “pending”,
“expires”: “2018-02-08T12:23:32Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/v4OWG-lgeqyXXBzlz5cAd1hGEA-t0_EJ_2UzqWcAu8c/3307985832”,
“token”: “tctKjBYAZkQ1ltr7nURnzqfwQEmoNby7N6Crhnu9bks”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/v4OWG-lgeqyXXBzlz5cAd1hGEA-t0_EJ_2UzqWcAu8c/3307985833”,
“token”: “uI_rGnngvQDVtcP_Gtb98_NBQq3Y40os8_3B_FjVoWk”
}
],
“combinations”: [
[
1
],
[
0
]
]
}
…
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Exiting abnormally:
…
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Do you have something in /etc/letsencrypt/cli.ini?

Yeah, this seems to be showing a case where Certbot is being forced to use TLS-SNI-01 authentication, which is no longer supported. However, you didn’t clearly specify on the command line that it should be used.

If you don’t have a cli.ini file, it would be good to see the log from /var/log/letsencrypt in case it sheds any more light on why Certbot refused to use the HTTP-01 authenticator here.

Yep. I have

authenticator = standalone
standalone-supported-challenges = tls-sni-01

in the cli.ini file. Should I modify it?

Yes, if you just remove the second line the process should go more smoothly.

Your cli.ini file currently specifies an authentication method which is no longer supported by the certificate authority.

I commented both lines and now it is working 100%.

Thanks for the help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.