If you are getting this message:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
You need to upgrade your Certbot. Let’s Encrypt permanently disabled the TLS-SNI-01 challenge due to a security report, as of 2018-01-09.
Certbot 0.21.0 was released on 2018-01-17. It adds support for the HTTP-01 challenge to the Apache and Nginx plugins. If you have installed Certbot from your OS package manager (that is, if you use the
letsencrypt commands rather than
certbot-auto), version 0.21.0 probably isn’t available yet. You should encourage the Certbot package maintainers for your system to provide a newer version. In the meantime, you can install Certbot through certbot-auto which will automatically install the latest version.
Workarounds for older Certbot versions
If you would prefer to wait until your OS package manager makes the latest Certbot available, and would like to work around the problem in the meantime, developer @bmw provided some helpful instructions, adapted here for convenience.
If you’re serving files for that domain out of a directory on Nginx, you can run the following command:
# Webroot method
sudo certbot --authenticator webroot --installer nginx \
--webroot-path <path to served directory> -d <domain>
If you’re not serving files out of a directory (for instance if you are using proxy_pass), you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:
# Temporary outage method
sudo certbot --authenticator standalone --installer nginx \
-d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"
These hooks will cause Certbot to automatically stop your server to obtain certificates and then start it again. After running a command like this once, Certbot will remember your settings so
certbot renew will work in the future.
If you are using Apache, replace
--installer nginx in the above commands with