Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

A post was split to a new topic: Renewal behind haproxy for TLS-SNI-01

A post was split to a new topic: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA 2

ok so if i do :

certbot --authenticator webroot --webroot-path /var/www/vhosts/www.mydomain.com --installer apache -d www.mydomain.com

the certificate for that domain (and domain alises) is re-generated and the authentication will switch from tls-sni-01 to HTTP-01? correct?

…and next time the command :

certbot – renew

will get the new setting automatically… correct?

I figured I could wait for SNI to be ready for renewals again, so I didn’t stop my renewal cron job.
I just noticed that renewals over SNI should be working.
But unfortunately I have hit a rate limit that I wasn’t aware of.
Too many pending authorizations…
My renewals can wait more than a week. But unfortunately I need to get a new certificate.
https://letsencrypt.org/docs/rate-limits/ says I can clear those pending authorizations by following the spec. I have read the “Responding to challenges” part of the spec and it looks like I could use hours figuring out what to send in nonce, keyAuthorization, and signature.
It would be easier if the certbot client could help clear pending authorizations, but the --help all doesn’t mention it.

Any helping pointers would be appreciated.

Same here… as I keept the chronjob for renewal activ it now complains about to many open


Processing /etc/letsencrypt/renewal/www.XXX.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.XXX
tls-sni-01 challenge for www.XXX_SAN1.ch
tls-sni-01 challenge for www.XXX_SAN2.ch
tls-sni-01 challenge for www.XXX_SAN3.ch
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.XXX) from /etc/letsencrypt/renewal/www.XXX.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: www.XXX,…: see https://letsencrypt.org/docs/rate-limits/. Skipping.

Stoped the renew cronjob for the moment… let’s hope it recovers in a week

Marc

Hello,

I have written a program that will read Certbot logs and clear pending authorizations (by completing them invalidly), source code here.

You can pipe your Certbot logs into it, and pass your Certbot's private_key.json file to it.

chmod +x clear-authz
cat /var/log/letsencrypt/* | ./clear-authz $(find /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/ -name private_key.json)

I have uploaded a binary of this program here (sha256sum fa7dc041d8e8f04c229fea8ab1132d7c87fa5bb41460a0d2c77c9833e1568c28 ) but I strongly recommend you compile it on your own because I'm not taking the blame if your account key gets hacked.

2 Likes

Hi Guys

Ran this command:

sudo certbot --authenticator webroot --webroot-path --installer nginx -d

and got the following out put, if anyone could possibly point me in the right direction?

(I am running Ubuntu 16.04.3, I have Discourse installed and did the mail in a box install after)

"Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer nginx
Running pre-hook command: service nginx stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for "mydomain.com"
Cleaning up challenges
Running post-hook command: service nginx start
Hook command “service nginx start” returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code. See “systemctl status nginx.service” and “journalctl -xe” for details.

Problem binding to port 80: Could not bind to IPv4 or IPv6.

Following is the output when asking for new certificate.

Did any one get the solution ???
or any other way to install free ssl

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 698, in run
certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 85, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 68, in get_authorizations
self._choose_challenges(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 103, in _choose_challenges
self.authzr[dom].body.combinations)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 374, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 411, in _find_smart_path
_report_no_chall_path()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 442, in _report_no_chall_path
raise errors.AuthorizationError(msg)
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

1 Like

Hey guys, does this problem affect Heroku too? I have the problem that Heroku does not issue a certificate thus is my app not available via my domain.

@tobiasfeistmantl It should be working now:

https://status.heroku.com/incidents/1371

Try running heroku certs:auto:refresh and contact Heroku support if it still isn’t working.

1 Like

I’m using nginx and trying like this:
certbot --authenticator standalone --installer nginx -d mysite.com --pre-hook “service nginx stop” --post-hook "service nginx start"
certbot fails with a TIMEOUT trying to fetch:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mysite.com
    Type: connection
    Detail: Fetching
    http://mysite.com/.well-known/acme-challenge/:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I’m already read the post on official forum but no of both methods doesn’t work. It’s just stacking on:

Cleaning up challenges

or giving TIMEOUT ERROR

Is there any way around this yet?
Is there anything outsiders can do to help?

PS: Thanks to all of you for your hard work and I really appreciate you staying on top of the security issues…

What’s the domain in question?

apologize for my bad english
what did you mean, when asking: "What’s the domain in question?"
Probably, what’s a real DNS name of domain?

Yes, exactly.

What’s the real domain? Not “mysite.com”.

Sorry, but for security reasons i can’t post it here.
The domain response real ip for ping command. And it use view like: subdomain.mysite.com

Domains are more or less all public. IPv4 addresses are all public. Let's Encrypt certificates are all public.

Does it respond to HTTP requests? From the United States?

If it supports IPv6, does that also work?

Ok, thanks for your advice, i’ll check this in 6-9 hours and answer. For right now I can’t check this issue.

The domain looks fine and does not have an AAAA record.

What port/address does nginx actually bind to on your server? Can you check:

ss -tlnp | grep nginx

Does issuing right now still give a timeout?

I am serving out of Apache/2.4.25 (Raspbian) on a Raspbian stretch.

Was able to issue certificates before. Now I am also affected by the error in the title.

So I tried, as suggested:

sudo certbot --authenticator standalone --installer apache -d g6.duckdns.org --pre-hook "service apache stop" --post-hook "service apache start

"

And got this error:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer apache
    Running pre-hook command: service apache stop
    Hook command "service apache stop" returned error code 5
    Error output from service:
    Failed to stop apache.service: Unit apache.service not loaded.

    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for g6.duckdns.org
    Cleaning up challenges
    Running post-hook command: service apache start
    Hook command "service apache start" returned error code 5
    Error output from service:
    Failed to start apache.service: Unit apache.service not found.

    Problem binding to port 80: Could not bind to IPv4 or IPv6.

Then I tried the other command
sudo certbot --authenticator webroot --webroot-path /home/www-data/web2py --installer apache -d g6.duckdns.org

and got this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for g6.duckdns.org
Using the webroot path /home/www-data/web2py for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. g6.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: g6.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>400 Bad Request</title>
   </head><body>
   <h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Being a newbie, I am not sure what to put in the --webroot-path, so I just put the path to where the files are served, which is /home/www-data/web2py

My setup script used to be doing this - which worked fine

certbot --nginx --no-redirect --email=$SSL_EMAIL --agree-tos --no-eff-email -d $i

Now this depreciation it no longer works, based on the thread I was reading here I have to do

certbot --authenticator standalone --installer nginx -d $1
But when I do so I get

File “/opt/certbot/src/certbot/plugins/standalone.py”, line 67, in run
raise errors.StandaloneBindError(error, port)
StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

The site is available over normal http, so it should be able to bind correctly
The nginx is running in a docker container (just as before the depreciation where the certificates getting worked nicely)

Any ideas ?