Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA


#1

If you are getting this message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

You need to upgrade your Certbot. Let’s Encrypt permanently disabled the TLS-SNI-01 challenge due to a security report, as of 2018-01-09.

Certbot 0.21.0 was released on 2018-01-17. It adds support for the HTTP-01 challenge to the Apache and Nginx plugins. If you have installed Certbot from your OS package manager (that is, if you use the certbot or letsencrypt commands rather than certbot-auto), version 0.21.0 probably isn’t available yet. You should encourage the Certbot package maintainers for your system to provide a newer version. In the meantime, you can install Certbot through certbot-auto which will automatically install the latest version.

Workarounds for older Certbot versions

If you would prefer to wait until your OS package manager makes the latest Certbot available, and would like to work around the problem in the meantime, developer @bmw provided some helpful instructions, adapted here for convenience.

If you’re serving files for that domain out of a directory on Nginx, you can run the following command:

# Webroot method
sudo certbot --authenticator webroot --installer nginx \
  --webroot-path <path to served directory> -d <domain>

If you’re not serving files out of a directory (for instance if you are using proxy_pass), you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:

# Temporary outage method
sudo certbot --authenticator standalone --installer nginx \
  -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"

These hooks will cause Certbot to automatically stop your server to obtain certificates and then start it again. After running a command like this once, Certbot will remember your settings so certbot renew will work in the future.

If you are using Apache, replace --installer nginx in the above commands with --installer apache


Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
I am impacted by the security problem of TLS-SNI
Renew existing certs failing - tried --renew-by-default as well as force-renewal
Unable to renew certificate - urn:acme:error:unauthorized :: The client lacks sufficient authorization
Unable to Renew ssl certificate
Ssl error ubuntu 16.04 apache
Certbot causing error while installing SSL
How to use the new certbot apache v 0.21
HELP! Cannot renew cert on my own website
Question regarding the actual TLS-SNI issue
Hit the Rate Limit
Subdomain certificate is not getting issued
Sudo certbot does not work
Can't renew on Apache Jessie
Create SSL with New Domain Error
Error Certbot Lets Encrypt
"certbot renew" improperly restarts nginx
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. issues
Error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Certbot Usage and old version
Certbot Usage and old version
Adding a production domain to a test server
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Second virtual host
Create certificate for a new domain in Ubuntu 16.04 (Apache)
Put the the Apache -d command
Problem adding SSL to subdomain
Create new certificate error
Non Interactive Issue : Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA 2
Create LE certificate
Certbot was perfect
DNS problem: NXDOMAIN looking up A for server.base.com
Could not reverse map the HTTPS VirtualHost to the original : Ubuntu 18.04.1 LTS (BIONIC)
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Problem of renew after site migration
Problem with certificate creation
Problem with the renewal of the certificate
Certbot - Debian 8 - not up to date
Terrible mistakes, tried to reinstall certbot and failed
Failed Certificate Renewal
Unable to add second domain name
Renew: Incorrect validation certificate for tls-sni-01 challenge
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA, that's it
Certbot crashes Nginx while renewing certificates
Apache | Installing Problem 443
Authenicator Digital Ocean failing
Renew: Error getting validation data
I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me
Certbot not renew the certificate
Subdomain certificate is not getting issued
#2

Apache : Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Authenticator does not support any challenages
#3

Hi, thanks for the information! Found one little mistake:

Should be


#4

Thanks!!! This was life saver


#6

Thanks, its works !!! <3


#7

Same error when I try to run:
certbot --apache certonly

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.


#8

Yes. That tries to use TLS-SNI-01 validation, which is disabled, and then not configure Apache to install the certificate.

If you want to do the opposite, “certbot --authenticator webroot --installer apache” will work.

What do you need to do?


#9

Around when will the TLS-SNI-01 challenge be re-enabled?


#10

Hi @davidshoda,

Seems a couple of days:

Over the next 48 hours we will be building a list of vulnerable providers and their associated IP addresses. Our tentative plan, once the list is completed, is to re-enable the TLS-SNI-01 challenge type with vulnerable providers blocked from using it.

For more info check this pinned post 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

Cheers,
sahsanu


#11

same error here with:
certbot-auto renew --standalone --quiet --no-self-upgrade --renew-hook '/path/to/hook.sh'


#12

(Edit: I misread you originally, and rewrote this post.)

certbot-auto renew” tries to reuse the same settings, including the validation method, that were used when the certificate was originally created.

Do you need to renew your certificate immediately? If the certificate is expiring 29 days from now, it would be easiest to ignore the failure for a few days until the dust settles.

If you need to renew it now, with different options, run the command to issue a new certificate. For example:

certbot-auto --standalone --preferred-challenges http -d example.com -d www.example.com

Edit: To clarify, if you run that, future renewals (starting 60 days from now) will use the new options too.


#13

@mnordhoff: my fault, I misunderstood that --standalone implies the TLS-SNI-01 challenge


#14

Well, it uses TLS-SNI-01 by default, but also supports HTTP-01.


#15

is there something I did wrong here?

(this is the first cert on this server btw)

sudo certbot --authenticator standalone --installer apache -d cloud.hixfamily.us -d cloud.hixfamilyreunion.com -d www.hixfamily.us -d www.hixfamliyreunion.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: systemctl stop apache2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.hixfamily.us
http-01 challenge for cloud.hixfamilyreunion.com
http-01 challenge for www.hixfamily.us
http-01 challenge for www.hixfamliyreunion.com
Waiting for verification…
Cleaning up challenges
Running post-hook command: systemctl start apache2
Failed authorization procedure. www.hixfamliyreunion.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.hixfamliyreunion.com

I checked each one is going to the apache start page… so DNS is working as expected.

Hope I did not hijack the thread. Let me know and I will move this to a new topic.

Thank you

–edit—
I noticed the liy instead of ily … corrected and it ran as expected. Sorry for the confusion


#16

I assume you meant “family” not “famliy”


#17

yeah…

again… sorry for the confusion


#18

Very timely. That was exactly my problem. I’ll wait.


#19

I appreciate there is a straightforward work around, and I also understand the security vulnerability as well as the importance of maintaining your ability to issue certificates.

However we’ve already deployed certbot with auto renewal across dozens of environments and hundreds of sites – do you recommend we switch everything over now or is there going to be an anticipated fix to restore original functionality?

Thank you for all your work?


#20

A post was split to a new topic: Question about Certbot Apache autoconfiguration


#21

It would be good if TLS-SNI were to be re-enabled at least on staging…