No authenticators working besides manual

I am new to LetsEncrypt, but I think I have a pretty solid handle on how it works. I can get everything working just fine with the manual authenticator. But when I try to do the Apache, Webroot, or Standalone methods, I get the following error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I am on Ubuntu 16.04 using certbot 0.26.1 on an Azure Linux vm.

Thanks everyone!

What exact command(s) are you using when you get this error? If you're requesting a wildcard cert, you'll need to use DNS validation (as the message says).

Thank you! That did it. So is it not possible to do an automatically renewing certificate for wildcards? I can do the wildcard when I do it manually.

Sure it is, but only if your DNS provider has an API to allow for automated updates, and you have a hook script for certbot that implements that API. Or you can use an alternative client like, which has support for 50-some DNS providers' APIs built in.

Or you can use acme-dns to host your own DNS validation.


I found acme-dns not to work which probably was caused by the cname recorded needed in this implementation. Therefore I have written a bash script which can be used as a hook by certbot to obtain wildcard certificates. You need to install a local domain name server, though (I recommend yadifa where this is quite easy), but in this way an automatic renewal is possible.

I don't know how many use it, but it works fine for me. What's the problem with the CNAME record? Set that record once, you're done.

I always got the error about a lacking TXT record while my acme-dns log showed that the TXT record was requested from the subdomain _acme-challenge and not from the subdomain given in the cname record.

I’d suspect a configuration problem on your end (do your CNAME records point to a subdomain? _acme-challenge.yourdomain.tld IN CNAME ed52dd97-1a80-4926-8408-f7f77a4899d9.acme.yourdomain.tld?), but this probably isn’t the place to address it, and I’m probably not the best person to do so in any event. If you’d like to address the issue, a separate thread would probably be the better place. I know it works well for me, but I can’t speak for anyone else.

Or your method is yet another–there are lots of ways to skin this cat.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.