[SOLVED] Cerbot - Error with specific domain, not with other one - Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Command:
sudo certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /home/wspi3b/cbauth/auth-hook --manual-cleanup-hook /home/wspi3b/cbauth/cleanup-hook -d 'g-dev.nl' -d '*.g-dev.nl' -d 'gestdevelopment.com' -d '*.gestdevelopment.com'

Error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Hi there, total newbie here having a bit of a struggle right now.
I'm trying to set up a wildcard certificate for two domains (or four, two domains and 2 wildcards for those two) using an API so i can auto renew easily and for some reason the domain g-dev.nl is giving me a struggle.

But weirdly that *.g-dev.nl, gestdevelopment.com and *.gestdevelopment.com will continue just fine, asking me if im okay with my ip being logged and such, the normal stuff.

Also using that command for all four domains works fine when i use --test-cert, TXT records are appearing in my domain provider and the certificates appear in the output folder, not sure if that is normal or not. (Can i even use those? I assume not since it is a "test certificate")

I'm not sure why this is happening but i'm hoping it's a simple mistake on my side.

Got any tips?

UPDATE

I ran the command with the --verbose option and it seems i'm getting "status": "valid" for g-dev.nl and "status": "pending" for the other three, i have no idea what this means but it shows something is different atleast. Maybe the previous certificate is still active? g-dev.nl in the verbose result expires on february first and the other pending three expire on january 28th what confuses me is why (if it does) a couple of days makes a difference between working and not working

.

1 Like

Hi @massigest

are you sure there was no typo?

You can use dns validation with every combination - normal and wildcard certificate.

And --manual should always work.

So adding one domain shouldn't change something.

'*.gestdevelopment.com''

The two '' - not a typo?

2 Likes

Sorry, it was a typo in my attempt to format the post, i do have some more info in an update which might help solve the case!

1 Like

Which version of certbot are you using? I'm guessing 0.28.0? Am I correct? :smiley:

1 Like

That's not a problem and it's not your error message.

If a domain is validated, Letsencrypt caches that result (account key + domain name) and re-uses it max. 30 days. So no re-validation is required -> status valid, not pending.

That error message happens normally, if you use --apache as authenticator with a wildcard certificate, that requires dns validation. --apache (or --nginx) doesn't support dns validation -> that's the error message.

2 Likes

@Osiris yes you are correct! Is there something wrong with that one?

1 Like

It has a bug that it can't combine multiple challenge types for a new certificate, if there already is a valid challenge for one of the hostnames. In this case, I'm guessing you've validated the certificate for g-dev.nl earlier with the http-01 challenge, which currently is still valid. This is blocking the wildcard cert for all hostnames.

Possible solutions:

  • Upgrade certbot to a newer version, which doesn't have this limitation;
  • Get a certificate without g-dev.nl, so you at least have a wildcard cert for the other hostnames;
  • Wait 7 days until the cached validation using the http-01 challenge for g-dev.nl has expired.
4 Likes

@Osiris well the error is gone and it seems to be running, it's taking a while but that is normal i assume, i'll go have a cup of tea and mark your awnser as the solution when it finishes (i hope so at least, we'll see)!

So thanks a lot! It looks like apt-get update/upgrade didn't seem to have an up-to-date version of certbot so i looked it up and installed the snap version (1.11). who knew!

And thank jou @JuergenAuer aswell for the insight!

3 Likes

That's the currently recommended method of installing certbot anyway, so you're all future-proof now!

2 Likes

Well it worked as expected! Thanks again!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.