A post was split to a new topic: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA 2
ok so if i do :
certbot --authenticator webroot --webroot-path /var/www/vhosts/www.mydomain.com --installer apache -d www.mydomain.com
the certificate for that domain (and domain alises) is re-generated and the authentication will switch from tls-sni-01 to HTTP-01? correct?
âŚand next time the command :
certbot â renew
will get the new setting automatically⌠correct?
I figured I could wait for SNI to be ready for renewals again, so I didnât stop my renewal cron job.
I just noticed that renewals over SNI should be working.
But unfortunately I have hit a rate limit that I wasnât aware of.
Too many pending authorizationsâŚ
My renewals can wait more than a week. But unfortunately I need to get a new certificate.
https://letsencrypt.org/docs/rate-limits/ says I can clear those pending authorizations by following the spec. I have read the âResponding to challengesâ part of the spec and it looks like I could use hours figuring out what to send in nonce, keyAuthorization, and signature.
It would be easier if the certbot client could help clear pending authorizations, but the --help all doesnât mention it.
Any helping pointers would be appreciated.
Same here⌠as I keept the chronjob for renewal activ it now complains about to many open
Processing /etc/letsencrypt/renewal/www.XXX.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.XXX
tls-sni-01 challenge for www.XXX_SAN1.ch
tls-sni-01 challenge for www.XXX_SAN2.ch
tls-sni-01 challenge for www.XXX_SAN3.ch
Waiting for verificationâŚ
Cleaning up challenges
Attempting to renew cert (www.XXX) from /etc/letsencrypt/renewal/www.XXX.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: www.XXX,âŚ: see https://letsencrypt.org/docs/rate-limits/. Skipping.
Stoped the renew cronjob for the moment⌠letâs hope it recovers in a week
Marc
Hello,
I have written a program that will read Certbot logs and clear pending authorizations (by completing them invalidly), source code here.
You can pipe your Certbot logs into it, and pass your Certbot's private_key.json file to it.
chmod +x clear-authz
cat /var/log/letsencrypt/* | ./clear-authz $(find /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/ -name private_key.json)
I have uploaded a binary of this program here (sha256sum fa7dc041d8e8f04c229fea8ab1132d7c87fa5bb41460a0d2c77c9833e1568c28 ) but I strongly recommend you compile it on your own because I'm not taking the blame if your account key gets hacked.
3 Likes
Hi Guys
Ran this command:
sudo certbot --authenticator webroot --webroot-path --installer nginx -d
and got the following out put, if anyone could possibly point me in the right direction?
(I am running Ubuntu 16.04.3, I have Discourse installed and did the mail in a box install after)
"Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer nginx
Running pre-hook command: service nginx stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for "mydomain.com"
Cleaning up challenges
Running post-hook command: service nginx start
Hook command âservice nginx startâ returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code. See âsystemctl status nginx.serviceâ and âjournalctl -xeâ for details.
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Following is the output when asking for new certificate.
Did any one get the solution ???
or any other way to install free ssl
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Exiting abnormally:
Traceback (most recent call last):
File â/opt/eff.org/certbot/venv/bin/letsencryptâ, line 11, in
sys.exit(main())
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 861, in main
return config.func(config, plugins)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 698, in run
certname, lineage)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 85, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.pyâ, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.pyâ, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 68, in get_authorizations
self._choose_challenges(domains)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 103, in _choose_challenges
self.authzr[dom].body.combinations)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 374, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 411, in _find_smart_path
_report_no_chall_path()
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 442, in _report_no_chall_path
raise errors.AuthorizationError(msg)
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
1 Like
Hey guys, does this problem affect Heroku too? I have the problem that Heroku does not issue a certificate thus is my app not available via my domain.
@tobiasfeistmantl It should be working now:
https://status.heroku.com/incidents/1371
Try running heroku certs:auto:refresh and contact Heroku support if it still isnât working.
1 Like
Iâm using nginx and trying like this:
certbot --authenticator standalone --installer nginx -d mysite.com --pre-hook âservice nginx stopâ --post-hook "service nginx start"
certbot fails with a TIMEOUT trying to fetch:
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mysite.com
Type: connection
Detail: Fetching
http://mysite.com/.well-known/acme-challenge/:
TimeoutTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If youâre using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Iâm already read the post on official forum but no of both methods doesnât work. Itâs just stacking on:
Cleaning up challenges
or giving TIMEOUT ERROR
Is there any way around this yet?
Is there anything outsiders can do to help?
PS: Thanks to all of you for your hard work and I really appreciate you staying on top of the security issuesâŚ
Whatâs the domain in question?
apologize for my bad english
what did you mean, when asking: "Whatâs the domain in question?"
Probably, whatâs a real DNS name of domain?
Sorry, but for security reasons i canât post it here.
The domain response real ip for ping command. And it use view like: subdomain.mysite.com
Domains are more or less all public. IPv4 addresses are all public. Let's Encrypt certificates are all public.
Does it respond to HTTP requests? From the United States?
If it supports IPv6, does that also work?
Ok, thanks for your advice, iâll check this in 6-9 hours and answer. For right now I canât check this issue.
The domain looks fine and does not have an AAAA record.
What port/address does nginx actually bind to on your server? Can you check:
ss -tlnp | grep nginx
Does issuing right now still give a timeout?
1 Like
I am serving out of Apache/2.4.25 (Raspbian) on a Raspbian stretch.
Was able to issue certificates before. Now I am also affected by the error in the title.
So I tried, as suggested:
sudo certbot --authenticator standalone --installer apache -d g6.duckdns.org --pre-hook "service apache stop" --post-hook "service apache start
"
And got this error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer apache Running pre-hook command: service apache stop Hook command "service apache stop" returned error code 5 Error output from service: Failed to stop apache.service: Unit apache.service not loaded. Obtaining a new certificate Performing the following challenges: http-01 challenge for g6.duckdns.org Cleaning up challenges Running post-hook command: service apache start Hook command "service apache start" returned error code 5 Error output from service: Failed to start apache.service: Unit apache.service not found. Problem binding to port 80: Could not bind to IPv4 or IPv6.
Then I tried the other command
sudo certbot --authenticator webroot --webroot-path /home/www-data/web2py --installer apache -d g6.duckdns.org
and got this error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for g6.duckdns.org Using the webroot path /home/www-data/web2py for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. g6.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1" IMPORTANT NOTES: - The following errors were reported by the server: Domain: g6.duckdns.org Type: unauthorized Detail: Invalid response from http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Being a newbie, I am not sure what to put in the --webroot-path, so I just put the path to where the files are served, which is /home/www-data/web2py
My setup script used to be doing this - which worked fine
certbot --nginx --no-redirect --email=$SSL_EMAIL --agree-tos --no-eff-email -d $i
Now this depreciation it no longer works, based on the thread I was reading here I have to do
certbot --authenticator standalone --installer nginx -d $1
But when I do so I get
File â/opt/certbot/src/certbot/plugins/standalone.pyâ, line 67, in run
raise errors.StandaloneBindError(error, port)
StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.
The site is available over normal http, so it should be able to bind correctly
The nginx is running in a docker container (just as before the depreciation where the certificates getting worked nicely)
Any ideas ?
SOLUTION:
certbot --authenticator webroot -w / --installer nginx --no-redirect --agree-tos --no-eff-email -d $i
This seems to work
1 Like