Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Same error when I try to run:
certbot --apache certonly

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Yes. That tries to use TLS-SNI-01 validation, which is disabled, and then not configure Apache to install the certificate.

If you want to do the opposite, “certbot --authenticator webroot --installer apache” will work.

What do you need to do?

1 Like

Around when will the TLS-SNI-01 challenge be re-enabled?

Hi @davidshoda,

Seems a couple of days:

Over the next 48 hours we will be building a list of vulnerable providers and their associated IP addresses. Our tentative plan, once the list is completed, is to re-enable the TLS-SNI-01 challenge type with vulnerable providers blocked from using it.

For more info check this pinned post 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

Cheers,
sahsanu

1 Like

same error here with:
certbot-auto renew --standalone --quiet --no-self-upgrade --renew-hook '/path/to/hook.sh'

(Edit: I misread you originally, and rewrote this post.)

certbot-auto renew” tries to reuse the same settings, including the validation method, that were used when the certificate was originally created.

Do you need to renew your certificate immediately? If the certificate is expiring 29 days from now, it would be easiest to ignore the failure for a few days until the dust settles.

If you need to renew it now, with different options, run the command to issue a new certificate. For example:

certbot-auto --standalone --preferred-challenges http -d example.com -d www.example.com

Edit: To clarify, if you run that, future renewals (starting 60 days from now) will use the new options too.

@mnordhoff: my fault, I misunderstood that --standalone implies the TLS-SNI-01 challenge

Well, it uses TLS-SNI-01 by default, but also supports HTTP-01.

is there something I did wrong here?

(this is the first cert on this server btw)

sudo certbot --authenticator standalone --installer apache -d cloud.hixfamily.us -d cloud.hixfamilyreunion.com -d www.hixfamily.us -d www.hixfamliyreunion.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: systemctl stop apache2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.hixfamily.us
http-01 challenge for cloud.hixfamilyreunion.com
http-01 challenge for www.hixfamily.us
http-01 challenge for www.hixfamliyreunion.com
Waiting for verification…
Cleaning up challenges
Running post-hook command: systemctl start apache2
Failed authorization procedure. www.hixfamliyreunion.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.hixfamliyreunion.com

I checked each one is going to the apache start page… so DNS is working as expected.

Hope I did not hijack the thread. Let me know and I will move this to a new topic.

Thank you

–edit—
I noticed the liy instead of ily … corrected and it ran as expected. Sorry for the confusion

I assume you meant “family” not “famliy”

yeah…

again… sorry for the confusion

Very timely. That was exactly my problem. I’ll wait.

I appreciate there is a straightforward work around, and I also understand the security vulnerability as well as the importance of maintaining your ability to issue certificates.

However we’ve already deployed certbot with auto renewal across dozens of environments and hundreds of sites – do you recommend we switch everything over now or is there going to be an anticipated fix to restore original functionality?

Thank you for all your work?

A post was split to a new topic: Question about Certbot Apache autoconfiguration

It would be good if TLS-SNI were to be re-enabled at least on staging…

6 posts were split to a new topic: TLS-SNI disabled and only port 443 available

2 posts were split to a new topic: Problem with Certbot standalone plugin

Hi

To make this clear for me.
This means the letsencrypt/certbots apache module is now dead?
I can’t use --apache in the future?
Or is there a way that I can use the apache module with HTTP-01 challanges?

The standalone and the webroot modules have both downsides (server needs to be stopped or customer .htaccess can destroy the webroot way).
There is surely a way around this, but the apache module solves many problems for me in a good way.

Hi, I am little confused here … can anyone please suggest me correct solution on this?
I have following cron being executed on weekly basis:
sudo /opt/letsencrypt/certbot-auto renew --renew-hook “service apache2 reload” >> /var/log/certbot-renew.log && sudo service postfix restart && sudo service dovecot restart

But now it started returning me this error:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (somedomain.cz) from /etc/letsencrypt/renewal/somedomain.cz.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.

Additional error displayed is:
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/somedomain.cz/fullchain.pem (failure)_

Should I update my cron command somehow or it is needed to call some command for each domain on server separately to resolve this issue?

Thank you very much for any help.